Privacy reform must reflect different roles in data handling


Jared Ragland
Contributor

Like many governments and economies, Australia is working to modify and expand its privacy rules to reflect technological innovation.

The emergence of artificial intelligence and heightened awareness of how personal information is handled has rightly prompted new policy debates both in Australia and around the world.

As the government completes a multi-year review of the Privacy Act, Australia’s approach to privacy has arrived at a turning point.

The government should seize this opportunity to adapt the Privacy Act to better protect consumers, empower Australian businesses to compete globally, and ultimately align its privacy rules with bedrock principles embraced by other leading economies internationally.

One of the most pivotal reforms to the Privacy Act should recognise the different roles that different organisations play in handling personal data – and create distinct obligations based on those roles.

This is an approach that the BSA (also known as the Software Alliance) and its members – enterprise software companies that deliver AI, cloud computing, cybersecurity, and other technology services to organisations around the world – have identified as the most effective way to deliver workable and meaningful privacy protections. The approach has additional benefits that clearly extend to businesses and consumers.

Prevailing privacy laws in other markets include this distinction, which reflects a role for both ‘controllers’ and ‘processors’ of information.

Controllers decide whether and how to collect data from consumers, and the purposes for which that data is used; processors are responsible for processing that data at the direction of the controller.

This concept underpins modern privacy laws internationally, and is a longstanding pillar of privacy policy dating back to 1980. The controller-processor distinction is a fundamental element of policy represented in the privacy laws of the European Union, Japan, Singapore, and many other countries.

Australia is currently an outlier, as the Privacy Act does not reflect different obligations based on the different roles of these different companies.

Incorporating the controller-processor distinction into the Privacy Act will not only put Australia’s policies on par with other leading economies, but it will also have the benefit of improving privacy protections for consumers and improving businesses’ competitiveness.

Because controllers decide why and how to use personal data, they should have consumer-facing obligations like seeking consent from their customers when collecting personal data.

Processors, which handle personal data on behalf of controllers, should have to process data securely and act at the controller’s instructions.

Recognising these roles helps policymakers create clearer obligations for companies and clearer rights for consumers.

Failing to make this distinction can have real negative consequences. For instance, if both controllers and processors must ask individuals for consent to handle their data, consumers will be inundated with duplicative consent requests.

Consumers should also have a clear understanding of which companies to turn to when exercising their rights to access, correct, or delete data.

This distinction can also help Australian businesses expanding into other markets. Because other major economies organise privacy laws in similar ways, creating a controller-processor distinction in Australia will help Australian businesses better understand how their obligations at home compare with obligations in other markets.

Companies looking to invest in Australia will also benefit from this distinction, because they can more readily understand how their existing data protection practices align to Australian law.

It also signals Australia’s commitment to upholding the highest standards of privacy and personal data protection, which has become a critical factor in global commerce.

In its Response to the Privacy Act Review Report in September last year, the government agreed in principle to adopt the controller-processor distinction.

It is now time to make that welcome pronouncement a reality of policy. The government should include a clear controller-processor distinction as part of its forthcoming reforms to the Privacy Act.

Declining to do so would represent a missed opportunity for Australia to modernise its privacy law and ensure it is fit-for-purpose in the digital age.

Jared Ragland is Senior Director, Policy for the APAC region for BSA | The Software Alliance, a global trade organisation representing enterprise software companies. He is responsible for the industry’s advocacy before governments in the Asia-Pacific region, including Australia.

Do you know more? Contact James Riley via Email.

Leave a Comment