Data and digital rights: recent Australian developments

: Data privacy rights is one of the most urgent issues in contemporary digital policy. In the face of insurgent citizen activism and outcry, national governments are looking for options to address this problem - something difficult for many jurisdictions when they lack robust, responsive policy frameworks, even in the wake of the call to act represented by the European General Data Protection Regulation (GDPR). In this paper we explore two Australian developments in 2018-2019 which take up the challenge: proposals from the Australian Competition and Consumer Commission (ACCC)’s Digital Platforms Inquiry to more stringently regulate social media companies when it comes to data privacy; and the government-mandated creation of a Consumer Data Right. Both policy initiatives seek to grapple with the widening pressure to provide better public domain information, fair and effective options for users to exercise choice over how they configure technologies, and strengthened legal frameworks, enhanced rights, and better avenues redress. However, in our analysis, we find little evidence that the initiatives are joined up, or connected by any common goal of really understanding, or acting on, citizen concerns to do with data privacy threats.


INTRODUCTION
that protection for human rights is not inevitable, even in a Western liberal democracy. The absence of a bill of rights or equivalent to the European Convention on Human Rights in Australia has significant implications in this context. Not least, it arguably diminishes the quality of the discussion about rights, because, for instance, it means that Australia lacks opportunities for measured judicial consideration of acts that may breach human rights, or questions regarding the proportionality or trade-off to be drawn between, for example, national security and privacy . That leaves researchers, institutions, and the wider society --including the public --with a relatively impoverished rights discussion that is skewed by the political considerations of the day and the views of advocacy groups on all sides.
The Australian case is of particular relevance to the UK going forward, and understanding the data privacy rights evolution of kindred 'Westminster' democracies (Erdos, 2010). The UK has a Human Rights Act, and it has some teeth, however it lacks any constitutional bill of rights (Hunt, 2015;Kang-Riou, Milner, & Nayak, 2012) --although this has been a longstanding proposal from some actors (Blackburn, 1999), including the Conservative Party during the 2015 UK General Election. Up to now, however, it has been possible to challenge actions in the UK via EU institutions, and the UK has been bound by specific instantiations of rights in detailed EU instruments. Owing to Brexit, the existing UK human rights arrangements look like becoming unmoored from at least some judicial systems of Europe (subject to the shape of the final arrangements) (Gearty, 2016;Young, 2017, pp. 211-254).
Notably, in recent times, it has been proactive European Union (EU) response that has gained widespread attention (Daly, 2016b). Data protection is enshrined in the Treaty on the In part, the GDPR represents an important early effort to address the implications of large-scale data analytics and automated processing and decision-making. The implications of the GDPR for citizen rights are untested in the courts so far, but the implementation of the law has provided a focal point for a sustained academic, policy, and industry discussion of automated data processing in Europe.
In the area of privacy and data protection, Europe has played an important normative role (Voloshin, 2014) in Australian debates (Stats, 2015), because of its leadership in this area and the involvement of many Australian researchers, jurists, parliamentarians, policy-makers, and industry figures in engagement with European actors and trends (Calzada, 2018;Poullet, 2018;Stalla-Bourdillon, Pearce, & Tsakalakis, 2018;Vestoso, 2018). Recently, the EU's expanded emphasis on its external policy portfolio, and its capacity to serve as a more "joined-up global actor", has been theorised as a kind of "new sector diplomacy" (Damro, Gstöhl & Schunz, 2017).
Already the GDPR has some global effect --introducing compliance obligations for international organisations or businesses based outside the EU that have an establishment in the EU, that offer goods and services in the EU, or that monitor or process data about the behaviour of individuals in the EU.
Another route for this strong influence has been via joint efforts under the auspices of the OECD. A watershed here was the creation and adoption of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, 1980(OECD, /2013. Distinguished Australian High Court judge and law reformer, the Justice Michael Kirby was the Chairman of the OECD Expert Groups on Privacy  and Data Security . He notes that the OECD Guidelines, and the privacy principles they contain, "profoundly influenced" the foundational 1988 Australian Privacy Act that remains in force today (Kirby, 1999). More recently, there is abundant evidence of the influence of European law and policy reform on the wider region, as documented in the work Australian privacy scholar, Graham Greenleaf, notably his comparative study of Asian data privacy laws (Greenleaf, 2014).
Europe is thus a lodestone and an internationally respected point of reference for privacy and data protection, including in Australia. Yet, European developments also offer a stark contrast to the situation in Australia, where, in recent years, Australia's law-makers have been slow to respond to expressions of citizen and user data privacy concerns (Daly, 2016a;.

STATE OF PLAY OF DATA PRIVACY IN AUSTRALIA: A SNAPSHOT
Australian privacy law is the result of both legislation and the common law. There is no right to privacy enshrined in the Constitution. Information collection and processing by government and by larger private sector players is governed by the Privacy Act 1988 (Cth) and a range of state and territory legislation. These instruments do not, however, provide an enforceable right to privacy. The Privacy Act includes 13 Australian Privacy Principles (APPs) that impose obligations on government and private sector organisations (with some important exclusions) when collecting, handling, storing, using, and disclosing personal information, and certain rights for individuals to access and correct personal information. The Privacy Principles place more stringent obligations on entities that handle "sensitive information" about an individual, including information about their health and biometric data, racial or ethnic origin, political opinions and membership, religious beliefs or affiliation, sexual orientation, and criminal record. Both the current Australian legal framework and the terms and conditions applied by online platforms are based on a model of notice and consent: notification that personal information is being collected and consent to those users. Yet as our 2017 study indicated, even where citizens may have assented to their data collection, and may be taking active steps to protect their privacy, they are still worried that they lack knowledge of its potential uses, and control over the acquisition of personal information.
Australians, however, have no direct right to sue for a breach of the principles --only rights to complain, first to the organisation involved or, if there is no satisfactory response, to the Office of the Australian Information Commissioner (OAIC). For its part, the OAIC's powers include "investigating individuals' complaints [in the second instance] and commencing Commissioner initiated investigations, making a determination about breaches of privacy, and applying to the Federal Court for a civil penalty order for serious or repeated interferences with privacy" (OAIC, 2018). The role, powers, and resourcing of the OAIC and its failure to take enforcement actions have been the subject of considerable criticism (Australian Privacy Foundation, 2018; Daly, 2017).
Australians' rights against unwanted intrusions on seclusion, or the unwanted revelation of private information, are also limited. The appellate courts in Australia do not currently recognise any civil cause of action for invasion of privacy, although the High Court has left open the possibility of developing one (Daly, 2016a). There is some potential to seek remedies for serious invasions of privacy through other legal mechanisms, such as legal rights to prevent physical invasion or surveillance of one's home, rights against defamation or the disclosure of confidential information, or even copyright law (ALRC, 2014). Proposals to recognise a statutory cause of action from the Australian Law Reform Commission have not been acted on (Daly, 2016a).
None of these various Australian legal regimes have responded to broader shifts in the capacity to gather data on a larger scale, to link datasets, to analyse and pattern data, and to use such The policy and legal lacunae in Australia become evident when governments and corporations are in a tense dance to reconcile their interests, in order to make the market in consumer data, sharing, and collection work smoothly and to promote innovation agendas in IT development.
At the heart of the contemporary power, technology, and policy struggles over data collection and uses are citizen and user disquiet and lack of trust about the systems that would provide protection and safeguards, and secure privacy and data rights.
In Australia, there have been a range of specific incidents and controversies that have attracted significant criticism and dissent by a range of activist groups. Concerns have been raised, in particular, by policy initiatives, such as internal moves to facilitate broader government data sharing, among agencies, as well as wider, security-oriented reforms centring on facial recognition . One of the most controversial initiatives was the botched 2017 introduction of a national scheme called "My Health Record" to collect and make available to health practitioners the data of patients. (Smee, 2018). Such was the widespread opposition and opting-in that by February 2019, approximately 2.5 million Australians (of a population of 25 million) had chosen to opt out (Knaus, 2019

TWO APPROACHES TO DIGITAL RIGHTS
As we have indicated, in Australia while there is a groundswell of concern and continuing activism on digital rights issues, there is no real reform of general privacy and data protection laws afoot. Instead, privacy is being addressed at a legislative level in a piecemeal way, with tailored rules being included in legislation for specific, data-related policy initiatives. Two interesting and significant initiatives underway that could, if implemented properly, make important contributions to better defining and strengthening privacy and data rights.

DIGITAL PLATFORMS INQUIRY
One important force for change is the Digital Platforms Inquiry being undertaken by the general market regulator, the Australian Competition and Consumer Commission (ACCC). In its preliminary report, released in December 2018, the ACCC gave particular attention to Google and Facebook, noting their reliance on consumer attention and consumer data for advertising revenues as well as the "substantial market power" both companies hold in the Australian market (ACCC, 2018b, p. 4).
What is especially interesting in the ACCC's interim report and its public discussion is the salience given to issues of consumer data collection and consumers' awareness of these practices and their implications (note the framing of Australians as consumers, rather than citizens, a point to which we return below). The ACCC also found that consumers were troubled by the scale and scope of platform data collection. It also noted that they "are generally not aware of the extent of data that is collected nor how it is collected, used and shared by digital platforms" (p.8) due to the length, complexity, and ambiguity of platform terms of service and privacy policies, and that they had little bargaining power compared to platforms which largely set the terms of information collection, use and disclosure on a bundled or 'take it or leave it' basis (p.8). Reflecting on this, the ACCC argued that this information asymmetry and power imbalance had negative implications for people's capacity to demonstrate consent and exercise choice (ACCC, 2018b, p. 8). The ACCC also noted the absence of effective mechanisms for enforcing privacy laws, and cautioned that: The lack of both consumer protection and effective deterrence under laws governing data collection have enabled digital platforms' data practices to undermine consumers' ability to select a product that best meets their privacy preferences.
(ACCC, 2018b, p. 8) The ACCC's Preliminary Report proposes various recommendations for legislative and policy change to address issues of market power and safeguarding competition, and also proposes a set of amendments to the Privacy Act "to better enable consumers to make informed decisions in relation to, and have greater control over, privacy and the collection of personal information" (ACCC, 2018b, p. 13).
Among other things, these recommendations include: strengthening notification requirements for collection of consumers' personal information by their platform or third party; requiring that consent be express (and opt-in), adequately informed, voluntarily given, current, and specific; enabling erasure of personal information; increasing penalties for breach; and expanded resources for the Office of Australian Information Commissioner (OAIC) to scale up its enforcement activities. (ACCC, 2018b, pp. 13-14). In addition, the ACCC recommends a new enforceable code of practice to be developed by key digital platforms and the OAIC, to "provide Australians with greater transparency and control over how their personal information is collected, used and disclosed by digital platforms" (ACCC, 2018b, p, 14). Also notable is a recommendation for the introduction of a statutory cause of action enabling individuals to take action over serious invasions of privacy "to increase the accountability of businesses for their data practices and give consumers greater control over their personal information" (ACCC, 2018b, p. 14).
With the full report due in mid-2019, and formal government response to follow, a wide range of actors debated potential regulation of digital platforms, including civil society, academia, as well The international stakes are also high, illustrated in the ACCC's call for its international counterparts to follow its lead in this "world first" inquiry in applying tougher safeguards (Duke & McDuling, 2018;Simons, 2019). Pitted against the digital platform giants are the older media companies still with significant interests in press, broadcasting, and radio, supporting the call for tighter regulation of the 'digital behemoths' (Swan, Vitorovich, & Samios, 2019). Clearly protectionism of existing media market dispensations is to the fore here, rather than protection of citizen rights -these traditional corporate players are very happy to see emergent internet and digital platform companies regulated as if these were media companies; or indeed facing extensions of other regulations, such as privacy and data law and regulation.

CONSUMER DATA RIGHT: "DATA AS AN ASSET"
There has been something of a long-term, bipartisan consensus shared by both major political parties -the conservative Liberal/National Party Coalition government as well as the typically more social democratic Australian Labor Party (ALP, currently in opposition) -that, especially when it comes to internet, telecommunications, social media, and associated digital technologies, "light touch" market-oriented regulation is to be favoured. The dominant position of the ALP is to style itself as pro-market with an admixture of government intervention and responsive regulation as needed. Hence it has been generally more responsive to calls for privacy and data rights improvements, when it comes to abuses from digital platform companies. However, it is extremely reluctant to be seen as "weak" or "soft" on issues of national security, cybersecurity, and fighting terrorism, so has rarely challenged contentious Coalition laws on metadata, and data retention (Suzor, Pappalardo, & McIntosh, 2017). Most recently, in December 2018, the ALP backed down in parliament, withdrawing its proposed amendments on legislation allowing security agencies greater access to encrypted communications (creating "backdoors" in Whatsapp, iMessage, and other "over-the-top" messaging apps) (Worthington & Bogle, 2018). Internationally, this new law was received as an "encryption-busting law that could impact global privacy", as a Wired magazine report put it (Newman, 2018).
On the direction of the government, the ACCC is also a key player in a second, related yet distinct initiative to better conceptualize and enact one very particular kind of digital right, in the form of a consumer data right. Data generated by consumers in using particular technologies, and their associated products and services, often resides with, and is controlled or even owned by, the company providing it. If consumers cannot access and transfer their data from one provider to another, and especially if they cannot trust a provider to use their data in agreed ways, this makes it difficult for a competitive market to be effectively established and sustained.
Following The Australia consumer data right has its parallels in European developments, such as data portability right under the GDPR (Esayas & Daly, 2018), although its foundation lies in consumer rights, rather than broader digital or human rights. Such a concept of a data rightas something that an individual has ownership of -is clearly bound up with the controversial debates on "data as commodity" (e.g. Nimmer & Krauthaus, 1992;Fuchs, 2012), and indeed the wide-ranging debate underway about what "good data" concepts and practices might look like (Daly, 2019). The Productivity Commission report, which provides the theoretical basis for the data right, summarizes it as follows: Rights to use data will give better outcomes for consumers than ownership: the concept of your data always being your data suggests a more inalienable right than one of ownership (which can be contracted away or sold). And in any event, consumers do not own their data in Australia. (Productivity Commission, 2017, p.

191)
The consumer would have the "right to obtain a machine-readable copy of their own digital data" (p. 191), however the "asset" would be a joint property: Consumer data would be a joint asset between the individual consumer and the entity holding the data. Exercise of the Right by a consumer would not alter the ability of the initial data holder to retain and keep using the data. (Productivity Commission, 2017, p. 191) The government's plan is to implement the consumer data right initially in the banking, energy, and telecommunications sectors, and then to roll it out economy wide sector-by-sector (Australian Government, 2018). The ACCC was charged with developing the rules for the consumer data right framework (ACCC, 2018a), of which it has released a preliminary version.
The consumer data right framework would be nested inside the general privacy protection framework existing in Australia, especially the Privacy Act. This has led to criticisms -even from industry participants, such as the energy company AGL --that the government should take the opportunity to update and strength the existing Privacy Act (for instance, in relation to the Australian Privacy Principles), rather than creating a separate set of privacy safeguards, in effect leading to "twin privacy regimes" that would "complicate compliance as well as the collection of consents for data sharing from consumers" (Crozier, 2019;Dept of Prime Minister & Cabinet, 2018).
What is especially interesting in this process is the role that standards play. In the long term, the government has promised the establishment of a Data Standards Body, with an Advisory Committee including representatives of data holders (such as banks, telecommunications, and energy companies), data "recipients" (such as fintech firms), and consumer and privacy advocates. The Data Standards Body would be led by an independent Chair responsible for selection of the Advisory Committee, as well as "ensuring appropriate government, process, and stakeholder engagement" (Australian Government, 2018 (Nguyen & Solomon, 2018), how the framework strikes a balance will be crucial: "For consumers to benefit, policy settings need to drive innovation, enhance competition, protect human rights and the right to privacy and, ultimately, enable genuine consumer choice" (CPRC, 2018). So far, however, the framework, draft rules, and policy process has been heavily criticised by the CPRC, other consumer advocacy, privacy, digital rights groups, industry participants, and parliamentarians. (Eyers, 2019).

CONCLUSION
Citizen uses of and attitudes to privacy and data are at the heart of contemporary internet and emerging technologies. Much more work needs to be done to fill out the picture on these internationally. In particular it will be important to ensure that the full range of citizens and societies are represented in research and theory. Also it is key that such work is translated into the kinds of insights and evidence shaping and woven into the often messy policy and law making, discourses, and institutional arrangements. We would hope to see serious efforts to engage with citizens regarding their understandings, expectations, and experience of digital rights and developing technologies, with a view to informing strong, responsive citizen-centred frameworks in law, policy, technology design, and product and service offerings.
Globally, there are legislative and regulatory efforts underway to respond to people's concern about developments in data collection and use, and the feeling, documented in our research and the research of others, of an absence of effective control. The European efforts such as the Convention 108+ and GDPR have been vital in the wider international scene to provide resources and norms that can help influence, guide, or, better still, structure government and corporate frameworks and behaviour.
This paper makes a case for the importance of local context. Australia is an interesting case for examining government responses to concerns about data collection and use, as a technologically advanced, Western developed nation without an effective human (or digital) rights framework.
In Australia, it is notable that efforts to respond to concern have come, not in the context of an overhaul of privacy laws or digital rights generally, but via efforts, by market-oriented policy bodies (the ACCC and Productivity Commission) to make markets work better and meet the needs, and expectations, of consumers.
In the case of the Digital Platforms Inquiry, there are internationally leading reforms to frameworks on data, algorithms, and privacy rights proposed that betoken a major step forward for citizens' digital rights. Yet in play is a political and policy process in which citizen concerns and activism are allied with some actors (even potentially old media companies), while pitted against others (digital platforms companies, including those such as Google who often argue for some element of digital rights). Ultimately it will be up to the government concerned to take action, and then for the regulators and key industry interests to be prepared to lead necessary change, ensuring citizens will have a fair and strong role in shaping co-regulatory frameworks and practices.
Like the premise of the Digital Platforms Inquiry, the Consumer Data Right initiative involves designing the architecture -legal, economic, and technical -to ensure the effective and fair operation of markets in consumer data. In both initiatives undertaken by the ACCC there is a common thread -they are aligned with consumer protection, rather than citizen concerns and rights. Here the consent, labour, and legitimation of consumers is in tension, rather than in harmony, it could be suggested, with the interests of citizens (Lunt & Livingstone, 2012). At the same time, individuals' privacy rights as citizens seem to be missing from the debate, subsumed under an overwhelming security imperative that frames individual privacy as consistently a lower priority than broad law enforcement and national security goals.
Thus, Australia offers a fascinating and instructive instance where internet policy experiment in compartmentalised data privacy rights is being predicated and attempted. Given the story so far, we would say that it is further evidence of the imperative for strong regulatory frameworks that capture and pin together transnational, regional, national, and sub-national level and modes to address citizens mounting privacy and data concerns; at the same time, it offers yet more evidence that, at best, this remains, in Australia as elsewhere, a work in process.