What you need to know:

• Cookie based IDs, Unified ID 2.0 and even Facebook and Google’s audience matching systems could fall under the microscope if a proposal in the government’s review of the Privacy Act is adopted.
• The government has proposed including a list of technical information that would count as “personal information”. The list includes location data, online identifiers, and even some characteristics of a person.
• It is proposed this could cover circumstances where “an individual is distinguished from others… despite not being named”.

The technical info list

Any data sets that separate individual users and assign them an identifier – Unified ID 2.0, LiveRamp’s ID, any cookie-based IDs, Facebook’s Custom Audience, and Google’s Customer Match, for example – could fall under stricter privacy laws, under a proposal floated by the Australian government.

In a change that would have profound implications for the $13 billion digital advertising industry, information sets that could be used to identify an individual, even if it needs to be added to other data to do so, may already fall under the Australian Privacy Principles, experts say – but the government wants to make that more explicit.

In the discussion paper of proposed ways to change Australia’s Privacy Act, the government has flagged adding a “non-exhaustive list” of information that would be covered by the definition of personal information. It’s listed as recommendation 2.2 and, while it seems like a small change, it could have big legal implications.

The examples that could fall within that definition, according to the government, are identifiers like names, identification numbers, location data, online identifiers, and one or more specific physical, behavioural, cultural or economic characteristics of a person. Crucially, the Attorney-General’s Department says: “The definition would cover circumstances in which an individual is distinguished from others or has a profile associated with a pseudonym or identifier, despite not being named.”

What’s in a definition

The list of technical information is part of a suite of changes that would define the scope of an updated Privacy Act. The challenge is to define which information should be included. The current proposal starts with redefining the Act to cover information that “relates to” a user, rather than just “about” someone. On the other end, it would information to be “anonymous” before it is not protected by the Act.

“If something is truly ‘anonymous’ (such that no individual could be identified or distinguished from others such that they can targeted or contacted in some way) then it won’t be covered, but ‘pseudonymous’ information, such as a hashed email address or cookie or other ‘identifier’ (such that an individual could be identified or distinguished from others so as to be targeted or contacted in some way) will be covered, if that proposal goes ahead,” Salinger Privacy’s Anna Johnston says.

“So yes: Facebook/Google customer match, LiveRamp IDs, any cookie-based IDs would be exactly the sort of thing the proposal in the Discussion Paper would be trying to include. And yes, it doesn’t mean that use of such things will be prohibited; just that they will be in scope for regulation, meaning that their collection, use or disclosure will need to comply with the Australian Privacy Principles.”

Willem Paling, the newly-appointed Director of CX and Personalisation at Luxury Escapes, says it’s clear this proposal takes inspiration – and wording – from Europe’s General Data Protection Legislation (GDPR). But it will potentially go even further.

“While third party cookies are still around, if this proposal goes through, I expect that the same care we must take with SMS and email would apply to cookie-based digital advertising,” he says.

“But we’re losing the cookies next year… so the question is whether it would restrict the use the many emerging alternatives to cookies. I think the answer is yes. 

“Over the last few years, we’ve seen many of these alternatives. In all these cases, the identity is useful because it relates to a person. It is hard to see these alternative, privacy-safe, approaches to anonymous online identity evading the proposed expansion what constitutes personal information.”

‘An extreme’

A way to mitigate the impact of these changes would be to include the “non-exhaustive list” in the explanatory notes, rather than in the legislation. That way, it could be changed – if necessary – without requiring a change to the law itself.

That was one argument put forward by the Association for Data-driven Marketing and Advertising (ADMA) in its submission to the government.

“We understand the objective is to provide clarity, but there’s such a risk in creating greater confusion. That not the intention of the Act,” Sarla Fernando, Head of Regulatory and Advocacy at ADMA, says.

“The government is putting this forward as an extreme, to get people out of the habit of only using the name to identify a person… The application of personal information is moving beyond what we consider as personal identifiers.”

Rather, the Act should include a “contextual evaluation” that considers the nature, the environment and availability of other data that could identify someone. A pre-set list in the legislation lacks nuance and flexibility, she says.

A broad view

There is a spectrum of views on where the privacy reform, which is still a work in progress, will land. On one side is the view, shared by Salinger Privacy’s Anna Johnston, that the current Discussion Paper and caselaw from the Office of the Australian Information Commissioner (OAIC) mean technical information may already count as personal information, caught by the Act. On the other end are a number of media companies that would like things to stay pretty much the way they are.

“At the moment we're in the helicopter, they're getting broad brush submissions on broad brush proposals. It's in the next stage that we're going to get an exposure draft, and we're going to really be a lot more nit-picky about what the practical consequences will be,” Sophie Dawson, a partner at law firm Bird & Bird specialising in media and tech advice, says.

“The overall thrust is you’d have to say the writing is on the wall, that the proposed reforms will seek to bring electronic identifiers within the ambit of the Act.”

But there is some room for argument, and there’s no guarantee the proposal, which appears to capture all information that separates an individual, will be included. If all that data is included as personal information, the level of consent required jumps dramatically.

Dan Stinton, the Managing Director of Guardian Australia, says he’s been aware of this possibility but thinks it’s unlikely.

“That would mean that Australia's privacy law goes further than anyone else in the world,” he says.

“And given the discussion paper is alive to the issues of constantly asking for consent, this would go against any objective to lessen the burden on consumers.”

The better option would be to include a “reasonableness test” on the use of identifiers, Stinton says, which means they don’t require a blanket ban or strict consent rules.

“This can only work, however, if there are purpose limitations that prevent the large players from collecting data in one environment and then using it in a completely different environment,” he says.

“That is not reasonable even with consent, and so should be outlawed. This has the benefit of both strengthening privacy and improving the competitive environment - two things that are usually in opposition to each other.

“There is plenty of harm that can come from unfair discrimination by using these identifiers due to the lack of transparency, but I think a reasonableness test and transparent privacy policy will go some way to solving most of the issues without having to ask for consent.”

Unnamed identifiers may already be covered

Johnston says the OAIC appears to believe identifiers are already covered by the current definition of personal information. In a recent case against 7-Eleven case, the OAIC said although the company was collecting facial recognition data – “faceprints” – in isolation from other data, it could still identify someone. Faceprints are a different level of data to some stand-alone behaviour signals, but the Information Commissioner has also said that “for an individual to be ‘identifiable’, they do not necessarily need to be identified from the specific information being handled”.

In its guide notes from 2018, the OAIC wrote: “Generally speaking, an individual is ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of a group.”

“I believe it is correct, based on both published guidance and Determinations from the OAIC, that online identifiers which can distinguish one person from the crowd are already covered by the Australian Privacy Act,” Johnston says.

“However, we don’t have a higher court case on the issue, so the proposed reform is needed to make that really explicit in the wording of the Act itself, to put it beyond doubt.”