Photo: DKI
Reigning in the expanding dystopia?
DIGITAL ID REGULATION
The Office of the Australian Information Commissioner (OAIC) recently launched their Digital ID regulatory strategy, mapping out how it intends to encourage people and businesses to “…shift to safer and more protective means of ID verification, and ensure privacy is respected in Australia’s Digital ID System and the broader economy.”
The desired outcomes of the OAIC’s regulatory strategy are broad, focusing on issues like ‘education’ and ‘trust’.
In the main, the government wants Australians to be smart about Digital ID, to be able to recognise unsafe IDV practices, and to feel trust in the country’s digital identity system.
To that end, the OAIC says it plans to perform five key functions.
- It will provide education to Australians and businesses and encourage them to switch to more secure means of identity verification that comply with the law.
- It will monitor for non-compliance and alert enforcement units when there is need for an investigation.
- It will enforce privacy safeguards, “including resolution of possible breaches through investigation, litigation and other formal enforcement outcomes.”
- It will ensure visibility of regulatory actions and compliance outcomes to deter violations.
- It will collaborate on strong relationships with the regulated community, industry and government.
The strategy plan includes a table of activities and estimated timelines, a detailed breakdown of actions in specific categories, and a list of projected outcomes.
A desired short-term outcome is to “mature existing awareness about privacy across multiple domains of life”, so that “…individuals will develop a more nuanced understanding of privacy issues recognising their significance across various aspects of their lives, including personal, professional, and social domains.”
The long-term outcomes include the widespread implementation of enhanced privacy compliance practices for organisations, better public understanding of the OAIC’s role as regulator, and enhanced data handling standards. A bit more practical.
But what does this all mean without the fluff?
Well, on the list of regulatory focus areas are identity verification by unaccredited ID services, data retention, and the matter of express consent.
AI is also a matter of going concern, and compliance for model training and development will be a “major focus” for the regulator.
Facial recognition is also a major area, and perhaps the most important.
One thing of note is the statement that the OAIC will focus “proactive regulatory efforts” on biometric information. It lists prioritising of complaints regarding biometrics as an example, as well as an analysis of systemic trends to inform compliance/enforcement.
Privacy Commissioner, Carly Kind, says the watchdog has its eye on deployments of facial recognition in the retail and hospitality sectors, and will address community privacy concerns about rental apps in the real estate sector and connected cars.
And, with how much facial recognition and biometric-enabled technology has spread over the last decade, it certainly is an area that needs immediate attention.
GOVERNING BIOMETRICS
For many years, Australia (and most of the world) have always played catch up trying to legislate advancing technologies. Most go unregulated and barely governed upon release, and by the time our laws catch up, it has already gone far beyond that.
OAIC, they say, are trying to get on top of this to align both policy and legislation together.
In late February, Carly Kind delivered a speech on privacy and security in retail that references her decision on the Bunnings case, which led to the publication of guidance on the use of facial recognition technology – focused on four key privacy concepts:
- Necessity/Proportionality.
- Consent/Transparency.
- Accuracy/Bias.
- Governance.
For those who remember, Australian consumer advocacy group CHOICE raised concerns about major retailers using facial recognition technology to record customer faceprints.
CHOICE referred Kmart, Bunnings and The Good Guys to the Office of the Australian Information Commissioner to investigate potential breaches of the Privacy Act.
Kind says she based her Bunnings decision, which the retailer is appealing, on what she deems to be shortcomings on those concepts.
But she also takes the wider societal view into consideration: “Our research told us that more than a quarter of Australians feel that facial recognition technology is one of the biggest privacy risks faced today, and only 3 percent of Australians think it’s fair and reasonable for retailers to require their biometric information when accessing their services.”
A post from Annan Boag, general manager of regulatory intelligence and strategy, attempts to capture the general public vexation over digital identity verification.
“Too often, verifying your identity means sharing ID documents,” Boag writes.
“I don’t think I’m alone in feeling a twinge of concern when hitting send on an email with a photo of my passport or driver’s licence, or when handing them over to be scanned when I enter a venue. Where’s the document going? What happens if it gets into the wrong hands?”
Boag follows this with an observation: “…organisations collecting this information are often just as uncomfortable about holding ID documents as most people are about sharing them.”
A growing number of corporations are harvesting and storing vast amounts of data, spreading through society like wildfire.
To give an example of how much this technology has spread, even pubs and clubs across Australia have been slowly switching on facial recognition capabilities – including many of my local pubs in my small south-east Queensland region.
This is just a small piece of the larger biometric puzzle at play.
Changing privacy laws to reflect current concerns is not a fast process, but Kind suggests some changes can be made to policy before the next changes to Australian law pass.
“I think it’s sufficiently important and urgent that we don’t wait for the legislative reform at this stage … and see what we can do via application in determinations and enforcement proceedings.”
Ultimately, changes in the law regarding the right to erasure, fair and reasonable testing, direct right of action, and removal of small-business exemptions could address gaps in the 1988 Privacy Act. But that remains to be seen.
Until then, it’s all well-and-good to say you are going to regulate this type of activity, but whether any impactful change will come is still up in the air.
At least, on paper, the OAIC seems to be taking into account the concerns of citizens regarding this continuously expanding digital dystopia.
At the end of the day, however, personal responsibility to protect oneself in society should be the main focus of every citizen – not relying on a bureaucracy doing it for you.
There still are ways to navigate the times we live in, to protect yourself and your family.
KEEP UP-TO-DATE
For more TOTT News:
Facebook — Facebook.com/TOTTNews
YouTube — YouTube.com/TOTTNews
Instagram — Instagram.com/TOTTNews
Twitter — Twitter.com/EthanTOTT
Bitchute — Bitchute.com/TOTTNews
Gab — Gab.com/TOTTNews
1 thought on “Australia’s privacy watchdog publishes Digital ID regulatory strategy”