Npjs6hzr 1494289837

Data availability report presents compromised rights for consumers

Australians should be able to do more than just access and transfer their own consumer data. www.shutterstock.com

Data availability report presents compromised rights for consumers

Australians should be able to do more than just access and transfer their own consumer data. www.shutterstock.com

A promising inquiry into how data is used in Australia has proved disappointing, with consumers being offered few new protections.

Released this week, the Productivity Commission’s final report, titled Data Availability and Use, represents a major shift in the legal landscape of data rights.

The report makes a number of recommendations. Most importantly, it argues for the creation of a so-called “comprehensive right” for individuals or small businesses to access, correct and transfer data about themselves held by product or service providers.

In my assessment, the comprehensive right frames personal information as a commodity rather than as an inviolable attribute of our identity. It encourages us to share and sell it, rather than guard and protect it. It envisages individuals as walking data compilations.

If the government takes up the Productivity Commission’s recommendations, however, we would remain largely in the dark as to how and why our data is used to make commercial decisions about us, on issues such as our credit risk.

This shift shows we cannot continue to treat big data’s consequences for individuals as simply a matter of privacy. Instead, the increasing use of such tools implicates other areas of law, including competition and consumer law.

Data is not just about privacy

In a speech given in March, chairman of the Productivity Commission Peter Harris identified our lack of access to data about ourselves as one of the industry’s largest, un-addressed public policy issues. He said:

Consumers give and give, but share so little in the opportunities – until this inquiry.

The Privacy Act currently regulates the collection, accuracy, use, storage, security and disclosure of “personal information” by medium and large organisations.

It treats information as a private aspect of an individual’s identity via a regime of notice (the small print privacy policies none of us read as we log into websites) and choice (the boxes we tick in agreement).

But in his speech, Harris rightly stated that:

There is a complete absence of rights outside the privacy space for individuals in relation to their data.

The Productivity Commission’s report frames the consumer rights question in relation to “trust”.

As consumers, we provide social media companies, online shopping businesses and loyalty programs, among others, with tons of our information. But we also worry about what becomes of it, and sometimes we even deliberately mess with the process by using false names, for example.

This lack of “trust” concerns Harris. At some point “there must be a tipping point, where the balance of willingness tips from data supply towards data restriction”, he added in his remarks.

The Privacy Act appears to have been largely ineffective at increasing individuals’ trust in how their data is accessed and used, and the Productivity Commission hopes its reports will fix the situation.

Comprehensive or compromised?

Unfortunately, the “comprehensive right” recommended by the Productivity Commission is full of holes.

In the draft report, released in November 2016, it recommended this new right enable consumers to:

  1. access and correct information held about them and to be informed when it is disclosed to others

  2. have a new right for a copy of the data to be provided to them or a third party, such as a new service provider

  3. “opt out” of collection of data in certain circumstances, and

  4. appeal automated decisions, such as those based upon predictive algorithms.

So far, so good.

But after further review, which included submissions from some of Australia’s most powerful private sector players, such as the ANZ Bank, the new comprehensive right is now fairly hollow.

Consumers have the right to access and correct their data (a right already conferred by the Privacy Act) and to be informed who it has previously been disclosed to. They can also direct one company to give it to another, so, for example, an energy company can give you an electricity quote more quickly.

But that’s it. Consumers won’t be able to stop a company collecting information about them, nor can they challenge automated decisions made using that data, including credit worthiness or insurance risk.

In its report, the Productivity Commission justified its decision by explaining that because consumers will have the right to access and edit some of the data held about them, they do not need to know the methods by which this data is transformed into decisions about whether they qualify for a loan or the cost of a health insurance policy.

This is akin to saying that if we know the evidence admitted in a court case, we do not need to know how a judge arrives at a sentence. The weight given to specific information is obscured and the scene is set for possibilities of unfair stereotyping, bias and discriminatory practices – something that is already reportedly occurring in this space.

As legal commentators in the United States have pointed out:

Predictive algorithms assess whether we are good credit risks, desirable employees, reliable tenants, valuable customers — or deadbeats, shirkers, menaces, and “wastes of time.”

The Productivity Commission’s draft report in 2016 was promising and attempted to balance the efficient and intelligent use of data in Australian markets and governments with new rights for consumers.

The final report, however, is underwhelming. For Australian consumers, the new right is better described as “compromised” and not “comprehensive”.