ATO may break law by pressing big four on privilege claims: barrister
Why it’s important for Australia to get data regulation right
After a decade-long, soft-law approach to data regulation, Canberra’s regulators are stepping up digital oversight, turning their attention to computer algorithms and digital transparency, in the first move to formally regulate the use and management of data across the economy.
In an attempt to bring some coherence to the regulatory response to the exploding use of data across the economy, the big four regulators that play in the information space have formed a Digital Platforms Regulators
At their first meeting, the heads of each of the regulators set out their priorities, focusing on algorithms and digital transparency.
At the meeting were Australian Consumer and Competition Commission chairman Gina Cass-Gottlieb, Australian Information Commissioner (and Privacy Commissioner) Angelene Falk, Australian Communications and Media Authority chairman Nerida O’Loughlin, and eSafety Commissioner Julie Inman Grant.
The focus on algorithms comes as automated decision-making software programs arebecoming mainstream. Many of these applications use artificial intelligence (AI) to parse data and make decisions without human intervention, based on how the algorithm has been programmed.
Examples include Netflix and the ABC’s iview program recommendation engines, Google’s search engine that ranks search returns based on an algorithm that considers the relevance of the content, and the “curated” feeds that underpin Facebook, Instagram, TikTok and Twitter.
In government, leading service providers such as the Australian Tax Office are using service bots to automate form filling and data collection. But the big prize for government is using AI to unlock the zettabytes of data sitting in government policing, human services, health and transport systems. AI sees patterns humans can’t, and the promise is that soon it will be able to unleash the extraordinary collected wisdom sitting in the case files of thousands of public agencies.
Unlocking the potential of AI
More broadly, Accenture has predicted that the deployment of AI and automated decision-making will double economic growth by 2035 and boost labour productivity as much as 40 per cent, an alluring prize for policymakers looking for productivity-driven growth.
There have been some notable examples of data regulation: the media bargaining code, anti-trolling, the nascent consumer data right regime and a strengthening of cybersecurity requirements. But these interventions have lacked any coherence and, absent any strong policy response from their mother departments, the regulators have brought a light touch to data regulation.
It is no coincidence that, with the arrival of a new government, regulators have taken things into their own hands.
For more than a decade, Australia has taken a soft-law, principles-based approach to oversight of algorithms, signing up to the OECD’s Principles on Artificial Intelligence in 2019.
This in turn prompted the industry department – wearing its digital economy hat – to publish an eight-point ethics framework for AI. This was released last year as part of a much hyped $100 million AI action plan.
Former Gilbert+Tobin and UNSW professor of practice Peter Leonard is one of a handful of experts who are across the policy, technology and black-letter complexity of Australian data regulation.
Time to get serious
Leonard has called for Australia to get serious about algorithmic management, citing Canada, which has a fully designed artificial intelligence bill going through its national parliament. Australia does not even have a modern data privacy regime.
“I’ve been very critical of the federal government because what they have been happy to do is publish stuff at, what you might call, an ethics or principles level,” says Leonard.
Only a complex and data-mature organisation could actually engage on these because it’s all at a level of generality. That means that small organisations look at it and say, ‘well, I agree with all of that, but I don’t know exactly what to do’.
“What is the process, the methodology, the ways of working, the assessment framework that you need to apply in order to make these principles work?
“And that’s the bit that’s really been missing in Australia, and where some other governments – in particular Singapore, Canada, the EU and the UK – have been very willing and ready to engage.”
In the absence of digital policy leadership, it has been left to the regulators to make do with their limited analog-era regulatory tool kits.
With no foundational rights such as a personal right to privacy or a general catch-all protection to stop unfair consumer practices, the regulators already start behind.
As Leonard observes in his submission to the attorney-general’s privacy review, the lack of a rights foundation has meant much of the regulators’ attention has been on ensuring transparency and consent. (Leonard’s design manifesto for a 21st Australian privacy act is a must-read – see pages 33-37.)
In a world where data is being mashed up from multiple sources (and jurisdictions) and reused in complex, cloud-based algorithms (often with no obvious indication of where it is from) the regulators are instead stuck with last-century regimes that are hopelessly not fit for the digital world.
Scars from robodebt
Attempts to move forward have been fought off ferociously by the incumbent interests whose business models are most threatened by changes. These include the small business, marketing, media and political sectors, all of which have lobbied against reform, preferring to relitigate yesterday’s policy wars, rather than embrace the opportunities of the data world.
Blame the robodebt fiasco, but in government there remains a timidity about how to consider algorithmic decision-making, leaving Canberra hopelessly unconfident where to draw the lines on policy. A lack of fundamental technology knowledge among policy agencies, and no central policy agency with the intellectual grunt to strategically frame regulation, leaves Australia at least a decade behind best-practice thinking and regulation.
Acknowledging this huge regulatory gap, a small digital task force from the prime minister’s department had been beavering away on an AI and automated decision-making paper. The paper, tragically, was titled “Positioning Australia as a leader in digital economy regulation”, and officials are now considering submissions and what to do next. The task force is now part of the industry portfolio, which wrote the AI framework and principles.
Regulating around algorithms is broadly a “system of systems” issue, with the rapid rollout of so-called smart technologies powered by the “internet of things” beacons and 5G and 6G connectivity. Smart cars, homes, energy, etc, is where the real algorithmic game is being played.
Data flows drive these applications, suggesting that understanding data provenance is critical for those seeking assurance and confidence against bad and malevolent data practices.
Just as we track the provenance of good wines and stamp the bottles accordingly, regulators will need to understand the inputs, interconnections and cascading consequences of the algorithmic decision pipelines.
Those skills and capabilities simply don’t exist among the front-line regulators tasked with trying to frame responses, nor in the policy branches of the federal and state agencies advising ministers on how to consider smart system oversight.
Between them, the four regulators in the new digital platforms forum report to three different ministers, meaning the forum can move only as fast as their various departments are willing to engage.
The ACCC reports to Treasury, which typically sits in the low-regulation corner. ACMA and eSafety take their cues from the infrastructure behemoth and a communications policy division that has struggled to get even the most modest of convergence reforms up. And the privacy commissioner is part of the Attorney-General’s Department, an agency more at home with black-letter law than the flexible response demanded by fast-changing industrial and consumer practices.
The attorney-general’s seminal review of the Privacy Act has been a classic inside the beltway – a Canberra-knows-best exercise, with no transparency in deliberations and pathetically little serious engagement with those the legislation is meant to protect: citizens. The result is about 70 ideas on what might work, but no broad strategic intent to assess which of them should move forward.
It remains to be seen who in the new federal cabinet can frame data policy.
Finance Minister Katy Gallagher has remit over government data integration and the system architecture and taxonomies required.
But under current arrangements, Ed Husic (industry), Jim Chalmers (Treasury), Michelle Rowland (communications), Clare O’Neil (home affairs) and Mark Dreyfus (attorney-general) have some responsibility for digital and data regulation.
The problem is obvious. Meanwhile, Australia, laughably, has an ambition to be a top-10 digital nation by 2030.
Tom Burton has held senior editorial and publishing roles with The Mandarin, The Sydney Morning Herald and as Canberra bureau chief for The Australian Financial Review. He has won three Walkley awards.Connect with Tom on Twitter. Email Tom at tom.burton@afr.com