Buddle Findlay privacy specialists Amy Ryburn and Keri Johansson were excited to attend the 2024 IAPP (Institute of Privacy Professionals) ANZ Summit in Melbourne this week, and report back here on some key ideas and themes that struck us after two full days of listening to academics, regulators and thought leaders, and talking to other practitioners, about current trends in privacy.
Keeping up with the pace of change
It's been a year where technology has continued to develop at breakneck speed, yet reform initiatives on both sides of the Tasman have slowed or stalled. In light of this, regulators are thinking creatively about how to keep pace. Speakers at the Summit spoke of the flexibility of the common law, and the ability of determinations, guidance notes and case law (although still slow moving and conservative) to 'fill in the gaps' and respond to technological change faster than legislation.
In Australia, the Privacy Commissioner has issued recent determinations that (among other things) interpret the law on lawful and fair collection, and the meaning of "necessary" in the context of exceptions to the APPs. These carefully reasoned decisions may be influential in New Zealand too and could cause businesses to revisit their use of facial recognition technology (FRT) and scraping technologies, even while statutory reforms are pending.
Closer to home, the New Zealand Office of the Privacy Commissioner (Office) has focussed on proactively releasing practical best practice guidance in Poupou Matatapu and statements of expectations around the use of AI, which explain the Office's interpretation of the law and may inform the Office's approach to enforcement.
Both regulators also hinted at the potential for consumer protection legislation, such as the prohibitions on unfair contract terms and misleading trade practices, to also be relevant in the privacy space.
Targeting, tracking and individuation
It's not just FRT, biometrics and scraping that might need revisiting in 2025 – industry and regulators are also looking more closely at anonymisation and tracking practises.
With investigations on the use of hashed data for targeting on social media in New Zealand, and new guidance in Australia on the use of pixels and tracking technologies, it's a good time to pause and check the basis for any e-marketing tools currently in use.
This issue is becoming particularly topical because machine learning and AI capabilities make it harder to effectively anonymise, and with exponentially growing volumes of 'individuated' information (used to single someone out without necessarily being able to name them).
Consent and transparency
We heard very thoughtful discussions of consent and transparency at the Summit, touching on the impossibility of reading every privacy policy, consent fatigue, and the challenges in explaining complex data processing to busy people. Many of the speakers agreed that the days of individuals being deemed to have consented to or 'authorised' everything in a privacy policy just by ticking a box are well and truly over.
Just because you can doesn't mean you should
Themes of social licence, human rights and fairness underpinned many of the speaker's comments, including in relation to the topics above. Many speakers spoke of practices that may not be expressly addressed in our privacy statutes in a way that allows room for technical arguments about compliance, but can be viewed as unnecessarily intrusive. By failing the privacy sniff-test those practices may well attract negative attention if not regulatory action. Forward-thinking organisations should take note.
