ANZ fears privacy reforms could lead to increased surveillance

ANZ has expressed concern over privacy reforms that would extend the definition of personal information to ‘singling out’, arguing that doing so could paradoxically result in increased surveillance of individuals.

Singling out is a concept referred to in the European Union's General Data Protection Regulation where a person can be distinguished from others, even when their identity is not known.

Its inclusion in the Privacy Act is being considered as part of a root-and-branch review by the Attorney-General's Department that would see the definition of personal information changed from ‘about’ to ‘relates to’.

At present, it is possible for technical information to fall outside of the definition of personal information because it is not directly about an individual, even if that person is ‘reasonably identifiable’.

But privacy advocates like UNSW senior lecturer Dr Katharine Kemp believe that even indirect information can be used to create a detailed picture of the ‘consumer behind the device’.

In its submission [pdf] to the latest round of consulations for the review, ANZ said that “operational difficulties” could arise from amending the definition of reasonably identifiable to capture singling out.

It noted, however, that it was “not clear whether ‘identified, directly or indirectly', is intended to capture singling out”, and that the definition of ‘reasonably identifiable’ needed further clarification.

ANZ said that if singling out was captured, practical compliance some of the Australian Privacy Principles would be “challenging”, particularly where it has an obligation to communicate with an individual.

“What would be the appropriate response to an access or correction request or, if introduced, a right to objection or erasure, from an individual whose identity is not known?" the submission said

“What authentication method should an entity implement to ensure that access is being provided to the correct singled out individual?”

ANZ said there were also “questions as to how accurately the ‘consumer behind the device’ can be singled out”, while noting the concerns that exist around manipulation and discrimination.

It considers the concept the ability to “single out a person in the crowd, such that they can be tracked, profiled, targeted, contacted or subject to a decision or action which impact them, even if that individual’s identity is not known”.

“Devices are often shared by multiple people in a household (eg sharing use of a computer or children accessing a parent’s phone),” the bank said.

“Extending the APPs to singling out could have the unfortunate result of increasing surveillance to reduce the risk of incorrectly disclosing the personal information of one household user to another.”

The bank said that surveillance could include “monitor[ing] keystroke pattern and any authenticated environments visited”.

“It is unlikely that an entity will be able to identity the same singled out user from one visit to an entity’s website to the next,” it added.

“This would mean that notifications and, where necessary, consents would be required for each visit resulting in consumer frustration and notification/consent fatigue.”

ANZ also said the proposal would “require collection notices to be provide to every singled out visitor to a website, and possibly consent sought to collect and use information from that website visitor”.

It said this risks limiting the ability to collect data to improve websites and services and complaints by website users about the number of cookie pop-ups, as has been the experience in the UK.

“If the Privacy Act is amended to capture singling out, this type of ‘personal information’ would likely need its own regime of rules and constraints,” it concluded.

‘Consent fatigue’

ANZ also raised concerns with the proposal to extend the definition of ‘sensitive information’ to financial transaction information, which it also said could lead to consent fatigue.

“If the definition... was amended to include financial information, the normal operation of the payment system and commerce would require much more explicit and granular consents,” it said.

“Financial system participants (e.g. banks, credit card schemes, merchants, payment intermediaries and fraud monitoring service providers) would require consumers’ consent to process payment information.

“This could result in consent fatigue for consumers and a significant compliance burden for financial system participants with minimal privacy benefit.”

This is consistent with the Australian Banking Association, which said in its submission [pdf] that such an expansion would not be appropriate and would significantly impede ordinary banking services to the detriment of [its] customers”.

ANZ said that raw transaction data was not sensitive information “per se”, and information “inferred through positive steps from that raw data and applied to an individual’s profile” is already provided under the Privacy Act.

“For example, transaction information may include subscriptions to political organisations. Alone, this raw data is personal information but not sensitive information,”

”However, if an entity forms an opinion from this information (e.g. through the use of analytics) that the account holder holds particular political opinions, this opinion would be a collection of ‘sensitive information’ and subject to the additional protections set out in the Act.”

De-identification

ANZ also used its submission to argue in favour of continuing to use ‘de-identified’ rather than ‘anonymous’ for the Privacy Act to no longer apply to data.

It said that anonymisation could impact its ability to re-use data, and could even make data misleading by “conceal[ing] important differences between and among subgroup categories”.

“Requiring this higher standard of de-identification may impact data utility because it would require the application of more comprehensive de-identification techniques,” the submission states.

The bank recognised, however, that “current de-identification techniques can be inconsistent and lack the appropriate rigour”, leading it to suggest changes to existing practices.

“Consideration could be given to strengthening de-identification practices through legal standards, perhaps by drawing on the de-identification decision making framework,” it said.

“We also support [the proposal] to introduce a re-identification offence with appropriate amendments as a further safeguard against inappropriate re-identification.”