Let me state this unambiguously: Australian privacy laws are in urgent need of reform.
Europe, Canada, the UK, and now even many US states have modern privacy laws which are able to meet the challenges of the modern data-driven world. Those laws are certainly not perfect, but they are a huge step up on what we have here in Australia.
Here at IDVerse, despite being an Australian-founded company, we apply GDPR and US state law standards to our global processing of data. We have made the decision that to adequately protect the end users of our biometric products, we need to apply European standards here in Australia rather than the Australian laws. That is an honest assessment of how we view current Australian laws—in a word, insufficient.
The need to lead
I’ve the privilege of attending events from time to time with regulators and lawmakers in the privacy, financial services, and technology sectors. A line I hear time and time again—and with which I disagree wholeheartedly—is that Australia should learn from other countries before implementing its own new laws.
This logic is being applied to AI laws and has been applied to privacy laws for a long time. But this means that Australia will never lead in sectors where it could take a lead, and it also means Australian citizens do not enjoy the protection from the law that other countries’ citizens do.
Why do we accept that here?
Hope on the horizon
The newest Privacy Commissioner in Australia, Carly Kind, has just announced that OAIC (Office of the Australian Information Commissioner, i.e. the regulator) had to abandon its investigation into TikTok because the current Privacy Act does not give her the tools she needs to be confident of a successful outcome for the regulator. That is as damning a verdict on the current laws as you are likely to hear from the regulator. She pulls no punches in condemning the status quo whilst welcoming the new reforms.
The good news is that, well, good news is around the corner. The Commonwealth Government is pushing ahead with its reforms to the Privacy Act and has promised that they will go before Parliament in 2024. The reforms are a really positive step in the right direction and will bring Australia almost to the level of protection that European and UK citizens enjoy under the GDPR.
A new role for Australia
In some ways, Australia will be taking a global lead. The proposed new law provides that companies must always process data in a “fair and reasonable way”. (An approach also taken in the draft of the US federal bill; so Australia is taking a co-lead.)
The purpose of this phrase is to indicate that companies can no longer just collect consent for every act of data processing safe in the knowledge consumers just click through because we all now have consent fatigue on the internet. It means that companies have to apply that test to all their processing decisions—even when they have consent from the user. In other words, blanket consent can no longer be assumed.
Consumers are the beneficiaries
From an identity verification specific standpoint, IDVerse welcomes wholeheartedly the “fair and reasonable” concept. We are still concerned that many companies in our sector reuse consumer data to train their algorithms, and rely on “consent” collected via their clients’ privacy policies for this training.
We strongly suspect that the majority of consumers would be very surprised to learn that their biometric data and identity document data is being repurposed in this way. By contrast, at IDVerse we use regenerative AI to create entirely synthetic datasets for our training—meaning that no personal data has to be used.
To wrap up, I’ll say unequivocally that the future is brighter for Australian citizens. All things going well, we should soon have a Privacy Act that meets our needs and brings us (almost) in line with the rest of the developed, democratic world.
About the post:
Images are generative AI-created. Prompt: A person holding a glowing, ethereal orb representing privacy, person is smiling and the light from the orb reflects on their face, cinematic, dramatic lighting, highly detailed. Tool: Midjourney.
About the author:
Peter Violaris is Global DPO and Head of Legal EMEA for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 7 years and before that worked for London law firms.
