Privacy matters

| September 5, 2019

Just published is an article, “Privacy law needs privacy harm“, that questions the assumption that privacy law built on the concept of obeying a set of process rules leads to privacy. The Privacy Act 1988 and most of the other privacy law in Australia are built on this assumption.

This construct has at least two serious flaws:

1 – nobody has defined ‘privacy’; and

2 – nobody has provided the evidence that the process rules contribute to anything other than compliance costs, let alone improving the undefined concept of ‘privacy’.

We at IIS have been making this point for years.

Better than that, this article draws out the implications in a new way that is well worth noting.  The consequences of this process rules approach to privacy are that:

1 – trivial actions may be a breach of the law but consequences are non-existent to trivial (the Lindqvist story cited in the article is a very good example); while

2 – highly harmful actions might be lawful (the Facebook component of the Cambridge Analytica scandal might have been legal, but the harm done might be to democracy itself).

Some of the corollaries to this are that perhaps the issue is often not a need for new law, but rather enforcement of current law in the new digital world. 

For example, all the anti-discrimination laws in Australia (human rights, disability, race, sex, age, etc.) are either obviously or less obviously being broken all the time, but the regulators such as the Human Rights Commission, OAIC, etc. are woefully under-resourced for the task. 

They cannot even get the research done to know what is going on, let alone enforce the law. Ed Santow’s current efforts are a great start, but sadly nothing more.

There is, however, a major potential stumbling block in this ‘harms’-based approach, namely, what is, and is not, harm. 

The courts in the US have taken a stunningly narrow view on what constitutes harm, such that it literally has to be ‘money that has been stolen from your pocket’.  No monetary impact = no harm.  No harm YET = no harm, etc. 

If that conceptualisation spreads worldwide, then we have a real problem.  But if a broad approach to what is ‘harm’ is taken, including all the anti-discrimination laws, etc., then we stand a chance.

This is one of the many reasons why the EU General Data Protection Regulation is not the answer, regardless of all the trumpeting worldwide.  GDPR is literally the best 20th-century privacy law yet made, but that is all. It is not fit for the 21st century.