Brilliantly funny Aussie comedian Wil Anderson, of Gruen Transfer fame, wrote in his gut-splitting book "I Am Not Fine, Thanks" an incredibly insightful comment about the trade-offs between privacy, smart devices and other technological marvels. In his book Anderson writes about his initial resistance to technology companies wangling their way inside our homes with connected tech. "I was already not the smartest thing in my house, and I don't need to keep demoting myself down the ladder," he said. Spoiler alert: there was a very brief battle of wills with Anderson and a streaming movie on one side against the evils of a rural, Australian telecommunications blackspot. Poking fun at how quickly we all eventually cave to the lure of technology in exchange for our personal privacy, Anderson made it clear that resistance is futile. As he put it: "the world is designed to get us to sacrifice principles in the name of convenience."
Spot on, Ando. To my mind, that statement goes to the heart of the debate bedeviling privacy practitioners and ordinary people worldwide. We all have our blue-circle-of-death moments when we cannot do without some amazing new app or smart device that happens to have an all-cookies-or-get-lost policy. Most of us stick our collective heads in the sand, hoping our little Faustian bargain doesn't end in a visit from a certain man with horns and pitchfork, who's hellbent on collecting our digital souls. We all know how that story ends, but hope does spring eternal — especially for Australians. No worries, mate, she'll be right … That is until it's not.
And things definitely were not right in 2022, a year marked by a seemingly endless parade of data breaches. I don't think anyone is clear on the final figures, but it is certain millions of Aussies lost personal information to the dark web's tentacles last year. However, there is hope and patches of sunlight on a previously very dark horizon in the form of much-anticipated reforms to Australia's Privacy Act, due for release in 2023. On top of that, Australia has already implemented reforms with massive increases in fines for privacy violations. As I flagged in my last IAPP article, those fines are AUD50 million, meaning Aussie organizations are officially on notice to get serious about privacy. And that means we're on the right track, right?
Yes. Increasing fines is a step in the right direction, but fines only represent one aspect of the multifaceted privacy equation. This is only my personal opinion, but I think other areas are in serious need of our attention. Like what? We could start with the logistical nightmare facing millions of Australian data breach victims. Again this is only my personal take, but I think fines rank lower on the priority list for ordinary Australians than getting new Medicare cards, passports and driver's licenses, not to mention reliable information about the risks they face in the aftermath of a data breach. I also think it's fair to say Aussies want these things quickly, without having to contact scores of government agencies, banks and other organizations. I'm not disputing the importance of fines or Office of the Australian Information Commissioner investigations. I do, however, wonder if we might consider reimagining where to place our collective focus in responding to data breaches and allocating resources for increasingly common events.
Taking a page from New Zealand's tort system and my native Canada's no-fault vehicle collision regimes, we might conjure up a limited, no-fault data breach regime. In that "fantasy football" world, fines would play a part. However, the starring role and regulators' spotlights could shine on remediation efforts and how best to serve the needs of data breach victims. We might also contemplate establishing a central, regulated entity to apply standard protocols for all data breaches. In fact, we could dream into existence a statutory insurance corporation to determine standard levels of compensation for data breach victims. This would avoid the additional time, effort and emotional toll from launching class action lawsuits or seeking administrative relief. While we are at it we could wave a wand and, presto, we've got a streamlined one-stop-shop where individuals can confirm whether their identity was compromised, learn how to obtain new documentation, clear their credit scores and so on. This model entity would spare individual organizations from reinventing the wheel with each new data breach and hopefully help them learn from previous incidents. How would this fantasy data breach regime be funded? We could start with those massive fines, taking a portion of all moneys collected to underwrite operating expenses. Other options include U.K. Information Commissioner's Office-style levies for all entities doing business in the jurisdiction.
This may sound like a pipedream or a post-Christmas holiday musing, coupled with speculation about the form and shape Australia's amended Privacy Act will take in 2023. Full disclosure: they are. But I think there is merit in considering creative, out-of-left-field approaches to how we, in Australia and other jurisdictions, can best respond to data breaches in a way that meets the needs of our communities. Here's an additional disclosure: my initial take on this subject was very different. The first draft of this article argued that our collective willingness to cave in the face of shiny social media bobbles and other online, or tech, gadgets proved privacy rights were in decline. As for our collective apathy and chronic hyperbolic discounting of PI, this was indicative of an ongoing erosion of privacy awareness and inability to promote privacy as a basic human right.
On reflection, I think my original take about privacy principles being in decline was wrong. So, too, were my assumptions that privacy principles and convenience are mutually incompatible. In fact, a better way to view these concepts might be to see them as flip sides of the same coin. If you doubt that point, consider the famous American jurists Samuel Warren and Louis Brandeis who arguably pioneered the modern "right to privacy" in their 1890 Harvard Law Review article of the same name. According to Warren and Brandeis, a key element of the right to privacy is the right to quiet enjoyment, to be let alone. The same right to quietude applies equally to the inevitable data breaches we will all experience. In the case of Australians, that point may come much sooner than later. Maybe it already did. Thank you, 2022.
With that inevitability in mind, we should strive to build straightforward, easily navigated and efficient systems for remediating data breaches. Why? We are all busy. We all want to get on with our lives. We all put a high value on convenience. The very definitions of inconvenience, bother and frustration include chasing countless service providers or spending endless hours on the phone trying to revalidate our identities with government agencies, banks and others. If efficient and sensible systems aren't in place, we effectively undermine the basic right to be left alone and free of bother. As we begin to redesign Australia's privacy regime in the coming months and years, I hope convenience doesn't trump privacy principles. I hope it is considered a core consideration in the practical exercise of those rights.