Do Aussies need a right to be forgotten online? Can we trust Google’s new “Privacy Sandbox”? Vertical Hold Ep 416
What would an Australian “right to be forgotten” law look like? Google’s promising to track you less on Android phones… but can it be trusted? Special guest Consumer Policy Research Centre Digital Policy’s Director Chandni Gupta!
It’s a big week for privacy… but obviously, being privacy-minded individuals we can’t tell you about it.
Well… OK. Now that you’re here, I guess we can.
The Federal Government is proposing a massive overhaul of the Privacy Act, which dates back to 1988.
It’s fair to say that our expectations around privacy and how it intersects with technology have changed a bit since 1988. Back then, being doxxed online would have had to take place on teletext, or maybe a BBS at a stretch.
So what’s in the new proposals, what’s good and what’s not? We’re joined by the CPC’s Chandni Gupta to look at the big picture and fine detail of the privacy act changes as proposes — and what we’d like to see.
Speaking of privacy, there’s Google. And usually when we say “Google” and “Privacy” in the same sentence, it’s a bad thing. Except…. maybe this isn’t?
Google’s testing out a new “Privacy Sandbox” for Android that would change the way it tracks users for ad purposes. It’s not saying it won’t track them… but the way it does and the data it collects and shares may change. Is Google finally reverting back to its “Do no evil” ways?
Do Australians need an online right to be forgotten law?
And can we trust Google’s new privacy sandbox?
Hey there, welcome back to vertical hole behind the tech news. The award winning tech podcast where we catch up with Australia’s leading technology journalists and commentators to dive into the big tech news of the week.
I’m Adam Turner, and I’m joined as always by Alex Kipman. Now, Alex, the Apple rumour mills have gone into hyperdrive, saying we might see a foldable iPhone and the mythical Apple AR VR headset this year. Are you already saving your pennies?
Well, look, I think it would be very bold of Apple to release both products this year, like seriously bold, because neither of those things are going to be, shall we say, affordable or sane. So I think my pennies can sit in the piggy bank that’s been sitting there waiting for the Apple car, and Apple flat screen TV all these years.
So this week, we’re joined by a new guest on the show. From the Consumer Policy Research Centre, it’s Chandni Gupta. Chandni — Welcome to the show!
Thank you for having me.
Chandni, what are you saving up your pennies for tech wise this year?
You know what, back in the day, I loved a good flip phone. I was very little at the time, but I really liked it. So it wouldn’t be a bad thing. But what I’m actually really saving up for would be… I love my notebooks, like my paper and pens. But something that can make can be a digital notebook, that would be just lovely. And I know there’s a couple out there that I’m researching at the moment working out which one to go with.
You’ve come to the right place.
So it’s a big week in digital privacy with as we said, Google’s launching a new privacy sandbox for Android users. Because if there’s one group you can trust your data with is clearly Google.
But before that, it’s been a big week for all Australians in terms of privacy, with proposed changes to the Privacy Act, which could change a hell of a lot of things since was introduced way back in 1988. Alex, briefly what’s on the table here?
So there’s quite a lot of proposal. And actually, I mean, to a certain extent, quite a lot of detail. It’s a 320 page document.
It’s fairly serious bedside reading, covering everything from the way businesses collect and store data, and the way consumers and ordinary people can then interact with that data and keep it safe and keep it private.
Chandni, what big changes are you seeing in this that you see that are kind of most significant?
Well, one thing I mean, it’s so fantastic that it is finally coming out of the 80s. And we’re leaving behind the floppy disks and the CDs.
And we’re finally going to be in the 21st century, which is so exciting.
What I’m seeing is the way they’re proposing reforms that really go beyond notification and consent, that’s a really positive move, and their way of expanding the definition of personal information.
And really modernising what it means to be identifiable, that was really pleasing to see that they’re considering that, and then putting those stronger obligations on businesses to really assess how they’re collecting and using data, which is not something that is currently in place at the moment.
And so those are three things are really, really positive to see that they’re openly discussing about it there.
They have proposed some really big reforms, and if they go through we will be in the space where we can really be protected by the digital economy that is there now and what will come in the future, as opposed to what was sitting there in the 80s.
And let’s face it, I think the internet was only just coming on board in the 80s.
So the fact that privacy act at the moment, is has protections in there, from a time when internet wasn’t even a thing, to now, getting it to a reform position where it is really going to help protect consumers when they are online when they are interacting.
They’re getting their products and services when they’re connecting with others online, knowing that there is a better way for them to be protected in that space. That is what has been really, really positive to see at this stage.
So we’re just talking big picture things here. Are we seeing details because I can say a lot of phrases like risks must be considered and protections applied accordingly, which kind of means stuff all until you actually, you know, that could mean anything?
Who makes the decisions on what these mean? And are we getting to the point where we will actually figure all that out? Or are we still just trying to establish the general aim and overall ambitions.
So it’s really a mix. So what I’ve seen from what I’ve seen so far, which is from 6am, this morning, so forgive me, but what I’ve seen so far is that in in some cases, they’re really clear about what is going to be included, or what they would like to have included, should I say, so things like personal information, they’ve been really clear that it’s not going to be just personal information, but information that is inferred about you, or it’s related to you.
So getting really down to the specifics. But in many of the other aspects of it, it’s going to be in the detail. And something that I’ve noticed is in quite a few stages, they’ve, in the paper, they’ve specifically said, the Information Commissioner will provide guidance on this, or will provide extra guidance and examples on this.
And that is going to be really interesting.
It does mean that the Privacy Act could be quite flexible, because it can evolve over time as guidance is updated and expanded. But it does mean we as there is still a level of uncertainty, potentially of how far some of those protections will go. So it’s at some point, some aspects of it are a bit Wait and watch.
Australian Consumer Law, for example, is deliberately broad and vague. And that’s generally seen as a good thing, because it expands protections, it keeps us safer. And it means you don’t have to modify Australian Consumer Law quite as much.
We’ve already established, it’s been an awfully long time since the Privacy Act was redefined. Is keeping it broad and vague perhaps — and I’m very much playing devil’s advocate here — is that perhaps a good thing because it then might allow for that kind of broad scope, right, this actually means a lot more for those technologies coming, you know, not just right now that it’s catching up to, but 10 or 20 years down the track.
So definitely a principles-based approach allows that flexibility. It allows the act to kind of evolve over time, because we know of the harms that are being caused now by collecting and sharing data, by the way it’s being used, why predictions are made about people, how data is enabling what you see, what you don’t see and what you’re excluded from.
So these are things that we’re seeing now.
But having that principle-based approach does mean that it is there then for the future, to be able to not have to be reiterated over and over.
And you don’t want someone to limit the scope.
So they’re approached of having a principle basis. Great.
But it’s the guidance and the way the leaning towards the guidance and what that will look like and also how much will be looked at in the guidance.
And whether the guidance, you also don’t want the guidance being misused by particular actors. So that’s where I think the tension will be. And that’s really in the detail of what will come out later.
Is there anything missing here anything that people were expecting or hoping for that they’ve just overlooked?
So there’s two things that really, it’s not quite clear.
We were really hoping for a very clear pathway to redress when things go wrong.
So when you have an issue with your telco, with your site, your mobile phone provider or with your energy provider, there’s an ombudsman you can go to, so you can go there, you can get your help when things have gone wrong, and you can’t sort it out with the supplier.
It isn’t really quite clear how redress is going to be managed in the privacy act at this stage.
They are talking about a direct right of action. And that of course, it opens up the opportunity for class actions, it means people can individually take on action, which is great, but it does mean the onus is still kind of, it seems like it’s sitting on the consumers and on people to actually resolve these issues. So it would have been great. Like we have always been championing the idea of a digital ombudsman, where you don’t have to think about — was it a privacy harm I had? Was it an issue with the actual marketplace that I was at? If it’s a harm that’s happened digitally, if you’ve gone through that you’ve been harmed via through the online space, you should be able to have a way forward that is a clearer way to get redress and remedy.
So that at the moment is a little unclear.
The other thing that really is not clear is the enforcement power. There is discussion about the OAIC being more enhanced in their enforcement.
And that was really great to see that they’re thinking about it. But how?
What is that going to actually look like?
So if all of these protections are in place, which is great, what is it actually going to look like when it’s being enforced?
How is it going to be tested and assessed, so for different areas, such as the banking sector, or in other sectors where you’ve got away to test and assess and pause? When you see an emerging harm take place, you see it in product safety, there’s a way to actually bring in interim bans, when you see a product that’s new to the market has potential to cause harm, or it or has caused harm, a ban can be put in place.
And then you can evaluate, a regulator can evaluate it and goes from there, to then bring in a permanent ban, by the Minister, or the other side of physical product intervention powers that currently exist in the finance sector, where a regulator like ASIC can investigate and put, even though at the moment, it’s a temporary ban, but a ban on particular or restrictions on particular practices.
So that’s something we aren’t quite seeing at the moment, from what I’ve seen so far.
What we’d really like to see is the regulator, the privacy regulator be as strong as our other regulators like the competition, consumer regulator, and like ASIC.
So it really needs to be on par and needs to be able to have the support to be able to do that — they are definitely under resourced there.
And the way to support — there needs to be one — give them the powers, give them the resources to be able to do what they need to do to help keep Australians safe.
So I’ve been diving into some of the detail that is there, and it is a 320 page document. There’s an awful lot there. One of the things I noticed was the proposal to give Australians the right to opt out of targeted marketing.
Typically speaking, at least to my understanding of the way a lot of these schemes typically work, there’s a bigger consumer benefit to making those things inherently opt in. Or is it just in case that we’ve already opted in, because we use a Google or a Facebook or whatever?
Wouldn’t opt in be a better phrasing for that or a better approach?
They have talked about privacy by default framework. But they’ve only mentioned it, it’s unclear what that would actually look like. It’s definitely that opt out is a step forward, if it’s clear, and user friendly, really easy to access.
Without question, we’ve always championed pro-privacy defaults, to be able to opt into things to see them instead of opt out.
So that is something we will be looking into in more detail over the next few weeks.
But certainly, if there are some things that are just not allowed, and they have — one thing that I really noticed was that noticing consent, so making sure that there are just some things that will be restricted, and therefore noticing consent would only be used in the absolute, absolute necessary places that can help to some extent.
But ideally, ideally, you’d want to be having these conversations that you’re opting in, instead of instead of having to go down every single platform and opt out, because let’s face it, we’re not just on one or two platforms, we are everywhere. We are consuming information online, from everywhere.
There’s been talk for a while about the idea of the right to be forgotten. I know they’ve talked about it a bit in the EU. Is that something we have here now? Or is that something that’s proposed under this?
So they have touched on the idea of the right to be forgotten. But what they propose is deindexing.
So it’s a “right to be forgotten” when we completely forget me from all sorts of parts of the internet.
Now, note that not everything you visit is an Australian web site.
It could be somewhere else, which makes the whole right to be forgotten more complex, ideal to be able to do that, but potentially inherently complex. Deindexing it is a step forward in a way.
What it’s doing is it’s allowing you as a as an individual, to have search engines, nothow results of you, of the things that you do not want them to see where you want others to see, sorry, I should say.
And so that is the that is just that one step forward, and that will be harder to find things. So you’d learn not that you’d be forgotten, but it would be harder to find you.
One of the reasons that the the EU, I think, the GDPR, if I remember the terminology correctly, one of the things that the EU model for that I think had is it has strength is the size of their market.
They could kind of say, Look, we’re a decent chunk of the internet, not all of it, of course, but a decent chunk of the internet.
So what we say goes, how difficult some of these proposals, including deindexing going to be to enforce given Australia, you know, what, 25 million people in change or something like that?
We’re a small market. Are these laws simply going to affect an Australian, you know, publisher online site, but nothing else?
Well, we’re small, but we’re mighty. So we’ll remember that way. But one of the things is that the way the way the reforms are being proposed, they’re being proposed in a way where it is harmonising a lot with the other international standards.
So it should be able to capture I mean, yes, it’s ambitious. But I’m so glad that it is ambitious, what they’re hoping to achieve.
But what that will allow you, allow companies to do is to be able to streamline their approach.
So if it is harmonised and really aligns with a lot of the International protections which are well ahead from where we are at the moment, we will be in a much better, we are likely to be in much better position in terms of the protections we have.
So but again, it all depends on though, how it’s enforced.
And I think and how businesses will be held accountable for that. So that is going to be where the test will come through.
I find it interesting some of the things that in theory, if all of this goes through and again, this is I think, under consultation until the end of March, I think it is and then they propose moving forward with whatever data they’ve got, then are the exemptions because for example, under the current very ancient Privacy Act, small businesses are exempt. But my understanding is they probably wouldn’t be or they’re suggesting they might not be. But political parties will broadly still be exempt, although they have to have published privacy policies. And there’s this odd political statement that they can’t directly target voters outside of political affiliations. And I’m not even sure if that’s a sentence.
Weasel words, they sound very much like weasel words to me.
I guess the broader question here is, is it a good sign when we’re talking about ‘Well, let’s have a new revised wonderful Privacy Act. But let’s put all these loopholes in here straight from the get go.’?
So the small business, what they’re suggesting at the moment is that it would apply to all businesses.
And in one way, when you look at it, it’s really positive. Because it’s there, we know of small businesses, like, take your real estate agency, they collect a lot of sensitive data about you, it is a small business, they should be able to have a way and should be held accountable for keeping that information safe from being the way it’s collected to the way it’s whether it’s shared outside and how it’s used, they should have those obligations in place.
I don’t think anyone will disagree with that. It’s so the sensitivity of the information could also play a role in this, I think it will be a really interesting discussion where we ended up because as I say, it’s discussion that small businesses need to be part of as well will need to be, will need to understand what the impost might be on them.
But also what are the obligations?
That would just mean that it’s a fairer outcome for Australians. So it’ll be interesting where it goes, but it’s really positive at the moment that they are willing to, open to at least have that considered because there is there is definitely a recognition that the way data is used and the way it’s collected and shared.
It’s not just about the big tech companies. Yes, that is definitely up there.
But it is the sensitivity of it and everyone, everyone in that data space has a role to play to keep consumers safe.
We now pause Vertical Hold to remind you to subscribe to Vertical Hold so that you can get every episode as soon as it hits every Friday, delivered fresh through whichever podcast app you choose to use.
So, keeping with a privacy theme — when we say privacy and Google in the same sentence, usually, well, it’s not usually a very positive kind of thing.
And Google this week has announced a new privacy sandbox for Android users. A sandbox is the kind of thing I used to play with as a kid. Or in some cases, the kind of thing that my cat might use for things that we won’t talk about right now. What’s Google actually doing with its privacy sandbox? What is it?
Well, a sandbox more generally, is what when they’re talking about an application, that it runs, basically, in its own little area, where it’s not connected to every where else, so it can do its thing, but it can’t necessarily see everything else on your phone. So that’s the general concept of a sandbox.
So they’re applying that to privacy.
So saying, this application, these apps can do what they need to do.
But that doesn’t mean they’ve got free rein to collect data from other apps to tell everybody all about you, we’re sort of limiting the scope of what they can do. Now, some of that’s already in place. But the main thing is going through what’s what Google has said.
And I’ll just read from their notes here, because it’s as usual, it’s 90% fluff and 10% actual detail. So the bit that looks like actual detail says that this proposal is to limit the sharing of user data with third parties, and operate without cross app identifiers, including advertising ideas, and the other half of it is exploring technologies to reduce the potential for covert data collection, including safer ways for apps to integrate with advertising tools. Sounds good in practice. So it sounds good in theory, what will it look like in practice?
So it’s really interesting, a lot of the focus often is on who is collecting my data? And how and who are they sharing it with?
They’re the two spaces, but the one where there is the highest risk of harm is how is that data being used.
And what from what I’ve seen so far, what it seems like it’s, it’s focusing on the user side of things.
So it’s still going to be able to target particular marketing practices, and it’s still going to be able to zone in on what you need. It just means that data is sitting somewhere else.
So it’s not actually being completely handed over. It sounds like decisions will still be made based on your data because of the way either how information is profiled through those categories, or however, that might end up looking like beyond the sandbox.
So it is really interesting, because I think one of the things we really need to be careful of, and this is why it’s so important to get the foundations right in the Privacy Act, and being able to really restrict and ban certain practices that are just not okay.
Because this is where you’ll then be able to limit the harm.
Because yes, it is really great to say, Yeah, we’re not gonna be sharing the data, we’ll only be keeping it here we’re keeping a really safe, but then you it looks like there are other means are being created to be able for, for targeting to still happen.
And so we just need to have it in a way that it is not causing harm.
There was a recent report by the foundation of alcohol and research education, specifically people 90% of people who they have surveyed, were concerned about seeing advertising of products that they were trying to give up.
And if the categorising is not done correctly, or if there are, or just the way the algorithm works, you just do not know what a consumer might be exposed to.
So it’ll be an interesting space of where it goes through. It’s great. I’ll get I’ll give a little shout out to Google. It’s great that they’re thinking about where to go in terms of collection sharing, but we really need to be careful about how data is being used and how it could it could be potentially harming consumers down the down the long term.
Is this Google just trying to do no evil for a change? Or is that they responding to changing regulations around the world? Like are they trying to get in front of the law?
Well, certainly with the change internationally for cookies, not being able to be used there. They will have to they will I mean, these are businesses, not just Google, but other businesses that have that have profited a lot from collecting, understanding and using people’s data and potentially not very much in the interests of consumer but to them.
So yes, potentially looking at how things they might be looking at how things are going forward.
In terms of each of the jurisdictions having a really clear look at privacy. and how it’s actually going to protect its consumers or its people within its countries. But at the same time, yeah, of course, they’re going to be creative.
It’s no surprise that they’re going to be creative, to see where they can still profit from, from this data, data enabled practices that they have, as but how that’s done, will really come down to what the foundation, the laws, if the safeguards are in place, you’ve got guardrails in place very specifically, on what can and can’t be done.
If you’ve got an enforcement regulator, who can actively enforce and mitigate harm, before it becomes, before it causes widespread harm, that they’re the things that are going to help shift some of that behaviour.
I wonder if their model here isn’t really designed to, I’m not going to say sidestep, because that does sound like they’re being legally dodgy. But sidestep, in a way, sidestep some of that regulation, because the model we’re talking about, which we kind of haven’t delved into that much, is basically this idea of, you’ll do a bunch of activity on your phone, you’ll do a bunch of Google searches or whatever, that will indicate that you’re interested in knitting alcohol, and car racing to pick three.
Wow, that’s quite a combination
That’s Friday night.
That’s a great Friday night, but say that you’re interested in those things. And classically, right at the moment, Google would be able to say right, well you visited this knitting forum, you bought these bottles of booze, and you watched this car race on YouTube or whatever.
What they’re now saying is on device, they will just grind all that up and go, right, you’re interested in knitting booze and car racing.
And that’s the stuff that they’ll then be able to supply to advertisers of wool, booze and tires, I guess.
So in a way they I guess, they could argue, well, look, we’re somewhat deidentifying this stuff.
We’re not saying you’re interested in this brand of beer, or this type of tyre or this colour of wool. We’re just saying these these broader things. Is that an approach though, that that we can regulate around? Is this a clever ploy?
Yeah, when you’ve picked up on a really interesting thing about the identification, the identification, and it has been touched in the privacy law, in the sorry, in the privacy review report at the moment, where they have looked at things being de identified and not being re identified, de identified in a way that it can’t be re identified and then therefore used for targeting.
So and you’ve we’ve seen this measures for not using data de identified data that can be re identified like it’s an offence in, in Singapore, Canada is already thinking about it in the UK as well.
So there’s already things in place to circumvent some of that de-identification being re identified, and then going back to target or profile specific people.
But this is where it will be really interesting. How businesses navigate the field at the moment in terms of privacy, and they get, you will start to see really creative ways. Because it’s been a long time since businesses have been able to profit from the way they use data and the way and the way they can target very, very, in a very finite way. And so I think the Sandbox is probably just one of the many, many new inventions, we’re going to see where they will test the laws of different jurisdictions.
So is this likely to have a big impact on the bottom line of some businesses or some advertisers, we saw what happened to Facebook, when Apple introduced some tighter restrictions around this?
Well, for some businesses who have very much have relied on a bundle consent approach, and then things have just gone from there. And for them, they’ve profited from data, database practices for them. Yeah, it’s definitely going, they’ll have to think of a shift on how they do things.
That doesn’t mean it’s going to completely… it shouldn’t, you shouldn’t have to be profiting from that causing harm to someone else.
So I think if we start looking at what is fair, what is are we doing things that are in the interests of the consumers and community.
Then the shift changes and potentially your businesses and the way they monetize their different activities changes as well.
It’s one thing we actually in the privacy act at the moment, they have actually talked about. A best interest for data collection, use and sharing to be in the best interest of children.
So if it takes place it has to be in the interest of the child.
And none otherwise, something like that duty of care or best interest that could be applied more widely.
And this is where you’d start really seeing a shift in how businesses will operate.
And it would be a shift that you’d see innovation in a way that would be actually good for consumers, as opposed to creating new and different harms for them.
Well, I’ve been speaking on the Facebook thing, their drop was primarily because Apple blocked cross app identifiers completely, they basically just said, you can’t share data between apps without clear consent. And of course, as soon as people said, Oh, do you really want to share your camera data with Facebook?
A lot of people went, No, I don’t think I do.
And they had to keep on operating within that, that saw Facebook’s revenue tumble. Apple — sorry, not Apple — Google is talking about crossover app identifies, but in a much softer way.
And in fact, the language around this is really, if you can read between the lines, it’s really very specifically anti Apple, they’ve said Yeah, other platforms have taken a different approach to ADS, privacy, bluntly, restrict the existing technologies used by developers and advertisers. We believe that — this is Google’s words, not mine — without first providing a privacy preserving alternative path. Such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses.
There’s a lot of business in that, and not a lot of user. Is Google just protecting its bottom line here, does it actually care about it, about the users who are the product, as we’ve said so many times on the show
Businesses naturally, traditionally in our economies are there to protect their bottom line.
And this is why it’s so important to get regulations right.
And the law is right to ensure that consumers, the other end of it, the people, the individuals are protected in a way so that because businesses can have their bottom line, but not at the expense of all of us.
Well, that just about wraps up this week’s episode of vertical hold. Thanks to Chandni for joining us.
Thank you for having me. So great to chat with you both.
It has been great. And look, now it is time for me to ask for you to opt in to, something you didn’t entirely see coming — the vertical hold three questions of doom. So please click here, if you agree.
Oh, well, you’ve not been completely transparent about what those three questions are. So I don’t think I can fully opt in. But yeah… I’ll opt in. I trust you. Go ahead.
I will in fact, in accordance with reasonable privacy principles, I will read out all three questions before you have read to any of them. And then you can answer them in the order in which you choose. Can’t be more transparent than that. They’re all fairly simple.
Anyway, as the longtime listeners will know, where can people find you online If they want to do so?
Where can they find you on social media, If you are on social media?
And a one-time privacy-centric sort of contentious question. We’ve talked a lot about regulations. We’ve talked a lot about what the rules should be. Let’s say that we make you prime minister with an overarching majority in every field of government for a day, what consumer law change are you going to make?
Oh, that’s a nice one. Okay, so you can find my work on cpsc.org.au. I’m on Twitter at @__chandnigupta or you can find me on LinkedIn.
The one law, while there is one law, it’s really close to my heart. And it’s a prohibition on unfair trading. We have, we’re one of the few jurisdictions that don’t have an unfair trading prohibition, which means unfair business practices are legal.
The US has had a prohibition like this since 1930s. The EU has had an unfair commercial Practices Directive since 2005. It’s time Australia made it illegal to have unfair practices here in Australia. Yeah. I’d love to see that. So that was one of the first things I would bring into force.
Viva El Presidente!
Honestly, I’d vote for that. And it’s a good job you’re becoming the prime minister, not me because my proposals would be considerably more out there.
But I will leave those for another day.
And as always, if you want to catch us online, you can do so @verticalholdau on Twitter, via the Vertical Hold Facebook page or on the web at verticalhold.com.au.
Thanks, everyone for opting in once again, don’t forget to drop us a line. Tell us what you love about the show. Tell us what we can do better in 2023!