Why Australia's data privacy laws are in real need of reform

Opinion | 1 April 2024

An urgent update of privacy laws is needed as Australians are tracked, targeted and profiled by businesses and data brokers, writes UNSW Sydney's Katharine Kemp

Australian consumers don’t understand how companies – including data brokers – track, target and profile them. This is revealed in new research on consumer understanding of privacy terms, released by the non-profit Consumer Policy Research Centre and UNSW Sydney.

Our report also reveals 70 per cent of Australians feel they have little or no control over how their data is disclosed between companies. Many expressed anger, frustration and distrust. These findings are particularly important as the government considers long-overdue reforms to our privacy legislation, and the consumer watchdog finalises its upcoming report on data brokers.

If Australians are to have any hope of fair and trustworthy data handling, the government must stop companies from hiding their practices behind confusing and misleading privacy terms and mandate fairness in data handling.

Katharine Kemp_UNSW.jpg — UNSW Sydney's Katharine Kemp says that about 70 per cent of Australians feel they have little or no control over how their data is disclosed between companies. Photo: supplied

We are all being tracked

Our activities online and offline are constantly tracked by various companies, including data brokers that trade in our personal information. This includes data about our activity and purchases on websites and apps, relationship status, children, financial circumstances, life events, health concerns, search history and location. Many businesses focus their efforts on finding new ways to track and profile us, despite repeated evidence that consumers view this as misuse of their personal information.

Companies describe the data they collect in confusing and unfamiliar terms. Much of this wording seems designed to prevent us from understanding or objecting to using and disclosing our personal information, often collected in surreptitious ways. Businesses can use your data to make more profit at your expense. This includes

charging you a higher price
preventing you from seeing better offers
micro-targeting political messages or ads based on your health information
reducing the priority you’re given in customer service
creating a profile (which you’ll never see) to share with a prospective employer, insurer or landlord.

Anonymised, pseudonymised, hashed

Businesses commonly try to argue this information is “de-identified“ or not “personal“, to avoid running afoul of the federal Privacy Act in which these terms are defined.

But many privacy policies muddy the waters by using other, undefined terms. They create the impression data can’t be used to single out the consumer or influence what they’re shown online – even when it can. Privacy policies commonly refer to:

anonymised data
pseudonymised information
hashed emails
audience data
aggregated information.

These terms have no legal definition and no fixed meaning in practice. Data brokers and other companies may use “pseudonymised information” or “hashed email addresses” (essentially, encrypted addresses) to create detailed profiles. These will be shared with other businesses without our knowledge. They do this by matching the information collected about us by various companies in different parts of our lives.

“Anonymised information” – not a legal term in Australia – may sound like it wouldn’t reveal anything about an individual consumer. Some companies use it when only a person’s name and email have been removed, but we can still be identified by other unique or rare characteristics.

What did our survey find?

Our survey showed Australians do not feel in control of their personal information. More than 70 per cent of consumers believe they have very little or no control over what personal information online businesses share with other companies.

Only a third of consumers feel they have at least moderate control over whether businesses use their personal information to create a profile about them.

Most consumers have no understanding of common terms in privacy notices, such as “hashed email address” or “advertising ID” (a unique ID usually assigned to one’s device).

And it’s likely to be worse than these statistics suggest, since some consumers may overestimate their knowledge. The terms refer to data widely used to track and influence us without our knowledge. However, when consumers don’t recognise descriptions of personal information, they’re less likely to know whether that data could be used to single them out for tracking, influencing, profiling, discrimination or exclusion.

Most consumers either don’t know, or think it unlikely, that “pseudonymised information”, a “hashed email address” or “advertising ID” can be used to single them out from the crowd. They can.

Most consumers think it’s unacceptable for businesses they have no direct relationship with to use their email address, IP address, device information, search history or location data. However, data brokers and other “data partners” not in direct contact with consumers commonly use such data.

Consumers are understandably frustrated, anxious and angry about the unfair and untrustworthy ways organisations make use of their personal information and expose them to increased risk of data misuse.

Fairness, not ‘education’

Simply educating consumers about the terms used by companies and the ways their data is shared may seem an obvious solution.

However, we don’t recommend this for three reasons. Firstly, we can’t be sure of the meaning of undefined terms. Companies will likely keep coming up with new ones.

Secondly, it’s unreasonable to place the burden of understanding complex data ecosystems on consumers who naturally lack expertise in these areas.

Thirdly, “education” is pointless when consumers are not given real choices about the use of their data.

Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School

Urgent law reform is needed to make Australian privacy protections fit for the digital era. This should include clarifying that information that singles an individual out from the crowd is “personal information”. We also need a “fair and reasonable” test for data handling, instead of take-it-or-leave-it privacy “consents”.

Most of us can’t avoid participating in the digital economy. These changes would help ensure that instead of confusing privacy terms, there are substantial, meaningful legal requirements for how our personal information is handled.

Katharine Kemp is Senior Lecturer, Faculty of Law & Justice, UNSW Sydney. Her research focuses on competition law (particularly misuse of market power), consumer protection and data privacy regulation. A version of this article first appeared on The Conversation.

Customer experience User experience Risk Technology Policy Ethics Digital Data Privacy Law Regulation Consumers

Republish this article

Republish

You are free to republish this article both online and in print. We ask that you follow some simple guidelines.

Please do not edit the piece, ensure that you attribute the author, their institute, and mention that the article was originally published on Business Think.

By copying the HTML below, you will be adhering to all our guidelines.

Press Ctrl-C to copy

<h1>Why Australia's data privacy laws are in real need of reform</h1>

<figure><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/cc0b87d1-de42-4ee6-b8e7-64b8a7c03017/Reform%20needed%20Australia%27s%20data%20privacy%20laws%20hero.jpg?w=1320" alt="Why misleading privacy terms lead to a lack of consumer control over data" /><figcaption>Why misleading privacy terms lead to a lack of consumer control over data</figcaption></figure>
                                    <p>Australian consumers don’t understand how companies – including data brokers – track, target and profile them. This is revealed in new research on consumer understanding of privacy terms, released by the non-profit <a href="https://cprc.org.au/" data-new-window="true" target="_blank" rel="noopener noreferrer">Consumer Policy Research Centre</a> and UNSW Sydney.</p>
<p><a href="https://cprc.org.au/report/singled-out" data-new-window="true" target="_blank" rel="noopener noreferrer">Our report</a> also reveals 70 per cent of Australians feel they have little or no control over how their data is disclosed between companies. Many expressed anger, frustration and distrust. These findings are particularly important as the government considers <a href="https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report" data-new-window="true" target="_blank" rel="noopener noreferrer">long-overdue reforms to our privacy legislation</a>, and the consumer watchdog finalises its <a href="https://www.accc.gov.au/inquiries-and-consultations/digital-platform-services-inquiry-2020-25/march-2024-interim-report" data-new-window="true" target="_blank" rel="noopener noreferrer">upcoming report on data brokers</a>.</p>
<p>If Australians are to have any hope of fair and trustworthy data handling, the government must stop companies from <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3432769" data-new-window="true" target="_blank" rel="noopener noreferrer">hiding their practices</a> behind confusing and misleading privacy terms and mandate fairness in data handling.</p>
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/3c3a80bb-eba1-4b9a-8002-12f12d6d94c9/Katharine%20Kemp_UNSW.jpg" class="figure-img" alt="Katharine Kemp_UNSW.jpg"><figcaption class="figure-caption">UNSW Sydney's Katharine Kemp says that about 70 per cent of Australians feel they have little or no control over how their data is disclosed between companies. Photo: supplied</figcaption></figure>
<h2>We are all being tracked</h2>
<p>Our activities online and offline are constantly tracked by various companies, including <a href="https://cprc.org.au/wp-content/uploads/2023/09/CPRC-Submission-Data-brokers-ACCC-August-2023.pdf">data brokers</a> that trade in our personal information. This includes data about our activity and purchases on websites and apps, relationship status, children, financial circumstances, life events, health concerns, search history and location. Many businesses focus their efforts on finding new ways to track and profile us, despite repeated evidence that consumers view this as <a href="https://www.accc.gov.au/about-us/publications/digital-platforms-inquiry-final-report" data-new-window="true" target="_blank" rel="noopener noreferrer">misuse of their personal information</a>.</p>
<p>Companies describe the data they collect in confusing and unfamiliar terms. Much of this wording seems designed to prevent us from understanding or objecting to using and disclosing our personal information, often collected in surreptitious ways. Businesses can use your data <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3432769" data-new-window="true" target="_blank" rel="noopener noreferrer">to make more profit at your expense</a>. This includes</p>
<ul>
  <li>charging you a higher price</li>
  <li>preventing you from seeing better offers</li>
  <li>micro-targeting political messages or ads based on your health information</li>
  <li>reducing the priority you’re given in customer service</li>
  <li>creating a profile (which you’ll never see) to share with a prospective employer, insurer or landlord.</li>
</ul>
<p><a class="o-btn o-btn--primary" href="https://businessthink.unsw.edu.au/articles/protecting-privacy-ai-data" target="_self">Read more: Protecting your privacy: should AI write hospital discharge papers?</a></p>
<h2>Anonymised, pseudonymised, hashed</h2>
<p>Businesses commonly try to argue this information is “<a href="https://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#de-identified" data-new-window="true" target="_blank" rel="noopener noreferrer">de-identified</a>“ or not “<a href="https://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information" data-new-window="true" target="_blank" rel="noopener noreferrer">personal</a>“, to avoid running afoul of the federal <em>Privacy Act </em>in which these terms are defined.</p>
<p>But many privacy policies muddy the waters by using other, undefined terms. They create the impression data can’t be used to single out the consumer or influence what they’re shown online – even when it can. Privacy policies commonly refer to:</p>
<ul>
  <li>anonymised data</li>
  <li>pseudonymised information</li>
  <li>hashed emails</li>
  <li>audience data</li>
  <li>aggregated information.</li>
</ul>
<p>These terms have no legal definition and no fixed meaning in practice. Data brokers and other companies may use “pseudonymised information” or “hashed email addresses” (essentially, encrypted addresses) to create detailed profiles. These will be shared with other businesses without our knowledge. They do this by matching the information collected about us by various companies in different parts of our lives.</p>
<p>“Anonymised information” – not a legal term in Australia – may sound like it wouldn’t reveal anything about an individual consumer. Some companies use it when only a person’s name and email have been removed, but we can still be identified by other unique or rare characteristics.</p>
<h2>What did our survey find?</h2>
<p>Our survey showed Australians do not feel in control of their personal information. More than 70 per cent of consumers believe they have very little or no control over what personal information online businesses share with other companies. </p>
<iframe title="Perceptions of control over what businesses do with personal information" aria-label="Stacked Bars" id="datawrapper-chart-mJYfr" src="https://datawrapper.dwcdn.net/mJYfr/1/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="321" data-external="1"></iframe><script type="text/javascript">!function(){"use strict";window.addEventListener("message",(function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r=0;r<e.length;r++)if(e[r].contentWindow===a.source){var i=a.data["datawrapper-height"][t]+"px";e[r].style.height=i}}}))}();</script>
<p><br></p>
<p>Only a third of consumers feel they have at least moderate control over whether businesses use their personal information to create a profile about them.</p>
<p>Most consumers have no understanding of common terms in privacy notices, such as “hashed email address” or “advertising ID” (a unique ID usually assigned to one’s device). </p>
<iframe title="Familiarity with terms used in privacy policies" aria-label="Stacked Bars" id="datawrapper-chart-52P8q" src="https://datawrapper.dwcdn.net/52P8q/3/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="538" data-external="1"></iframe><script type="text/javascript">!function(){"use strict";window.addEventListener("message",(function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r=0;r<e.length;r++)if(e[r].contentWindow===a.source){var i=a.data["datawrapper-height"][t]+"px";e[r].style.height=i}}}))}();</script>
<p><br></p>
<p>And it’s likely to be worse than these statistics suggest, since some consumers may overestimate their knowledge. The terms refer to data widely used to track and influence us without our knowledge. However, when consumers don’t recognise descriptions of personal information, they’re less likely to know whether that data could be used to single them out for tracking, influencing, profiling, discrimination or exclusion.</p>
<p>Most consumers either don’t know, or think it unlikely, that “pseudonymised information”, a “hashed email address” or “advertising ID” can be used to single them out from the crowd. They can.</p>
<p>Most consumers think it’s unacceptable for businesses they have no direct relationship with to use their email address, IP address, device information, search history or location data. However, data brokers and other “data partners” not in direct contact with consumers commonly use such data. </p>
<iframe title="What personal info is acceptable for a business to use?" aria-label="Stacked Bars" id="datawrapper-chart-AgFEP" src="https://datawrapper.dwcdn.net/AgFEP/3/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="785" data-external="1"></iframe><script type="text/javascript">!function(){"use strict";window.addEventListener("message",(function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r=0;r<e.length;r++)if(e[r].contentWindow===a.source){var i=a.data["datawrapper-height"][t]+"px";e[r].style.height=i}}}))}();</script>
<p><br></p>
<p>Consumers are understandably frustrated, anxious and angry about the unfair and untrustworthy ways organisations make use of their personal information and expose them to increased risk of data misuse.</p>
<h2>Fairness, not ‘education’</h2>
<p>Simply educating consumers about the terms used by companies and the ways their data is shared may seem an obvious solution.</p>
<p>However, we don’t recommend this for three reasons. Firstly, we can’t be sure of the meaning of undefined terms. Companies will likely keep coming up with new ones.</p>
<p>Secondly, it’s unreasonable to place the burden of understanding complex data ecosystems on consumers who naturally lack expertise in these areas.</p>
<p>Thirdly, “education” is pointless when consumers are not given real choices about the use of their data.</p>
<p><a class="o-btn o-btn--primary" href="https://businessthink.unsw.edu.au/subscribe" target="_self">Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School</a></p>
<p>Urgent law reform is needed to make Australian privacy protections fit for the digital era. This should include clarifying that information that <a href="https://brusselsprivacyhub.eu/publications/BPH-Working-Paper-VOL6-N24.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">singles an individual out from the crowd</a> is “personal information”. We also need a “fair and reasonable” test for data handling, instead of take-it-or-leave-it privacy “consents”.</p>
<p>Most of us can’t avoid participating in the digital economy. These changes would help ensure that instead of confusing privacy terms, there are substantial, meaningful legal requirements for how our personal information is handled.</p>
<p><a href="https://www.unsw.edu.au/staff/katharine-kemp" data-new-window="true" target="_blank" rel="noopener noreferrer"><em>Katharine Kemp</em></a><em> is Senior Lecturer, Faculty of Law & Justice, UNSW Sydney. Her research focuses on competition law (particularly misuse of market power), consumer protection and data privacy regulation. A version of this article first appeared on The Conversation.</em></p>

Comments

Opinion

Why Australia's data privacy laws are in real need of reform

We are all being tracked

Anonymised, pseudonymised, hashed

What did our survey find?

Fairness, not ‘education’

Republish

Related

Explainer: How ChatGPT works in a sentence

Generative AI: copyright, ethics, and the future of creativity

Labor's stage 3 tax cuts: is there a better, fairer alternative?

Is the Australian government doing enough to mitigate AI risks?

Find an expert

Connect