Automated technologies using artificial intelligence are increasingly being applied in daily life, and Australia is no exception. Transportation has emerged as a prominent area in which AI and automation are being deployed among the general population, prominently unmanned aerial vehicles (UAVs – better known as drones) and autonomous vehicles (better known as ‘driverless cars’). While these technologies promise certain social and economic benefits, they also have their costs, particularly as regards the privacy and data protection rights and interests of the individuals who use them.
Privacy laws in Australia
Australia is unusual as a Western-style liberal democracy lacking comprehensive constitutional rights. There is, accordingly, no right to privacy enshrined in the Australian Constitution, despite Australia being a signatory to various international human rights treaties, including the International Covenant on Civil and Political Rights (ICCPR), whose Article 17 protects the right to privacy.
Instead, aspects of privacy and data protection rights are protected through legislation although it is very much a patchwork of different statutes protecting different aspects of privacy rather than an overarching enforceable principle.
Most prominent among the legislative protection of privacy is the federal Privacy Act 1988 (Cth). This legislation regulates the handling of personal information about individuals (natural persons) in the form of the Australian Privacy Principles (APPs) which include the collection, use, storage and disclosure of this information, as well as access to and correction of the information. This scheme takes a similar model to European Union data protection law, but is considered to give weaker protection to data privacy interests than in EU law. For instance, businesses with a turnover of less than AU$3 million are not subject to the APPs, whereas in the EU they would likely be subject to data protection law there. Also, individuals in Australia cannot directly enforce their rights and interests protected by the APPs – they must make a complaint to the federal Privacy Commissioner who can take action on their behalf. However, in recent years there have been concerns about the Privacy Commissioner not receiving adequate resources from the Government, raising questions of how effectively this office can enforce the APPs.
There have also been calls to implement a statutory tort for serious invasions of privacy, but currently so such tort has been legislated into the Australian law books.
Automated transportation in Australia
Despite these concerns around the adequacy of privacy protection, Australia has been keen to embrace new automated technologies and can be viewed as an early adopter of many of them. In recent times, this has been supplemented by government policies around innovation such as the National Innovation and Science Agenda and state-level initiatives such as Advance Queensland. There is also a significant amount of academic and industry research being conducted in Australia on robotics, including applications in the agricultural and mining and resources sectors, two of the country’s most economically important industries.
Drones and driverless cars have emerged as two technologies growing in popularity among Australians. Cheap drones are retailing for under AU$100 and so within the purchasing power of the average Australian. Australia is one of the world’s first markets to develop and test driverless cars and a Tesla executive has claimed that all cars on Australian roads will be driverless by 2030!
Both drones and driverless cars as technologies do not inherently pose privacy concerns, but their roll-out has usually involved them being coupled with cameras and sensors which collect data about their passengers/users and other individuals and objects in their surroundings.
So far in Australia, drones have only been specifically governed by the Civil Aviation Safety Regulations 1998 (Cth), which are designed to ensure the safe use of aircraft, rather than any specific privacy purpose. In 2002, these regulations were modified to include rules specifically governing the use of drones (reportedly a world first), again laying down rules primarily concerned with the safe operation of these machines, including a rule that drones should not be operated within 30 meters of a person not involved in their operation and drones should not be operated over ‘populous’ areas. In 2016, these measures were updated, largely to deregulate the use of small drones by both individuals and businesses. The aviation regulator, the Civil Aviation Safety Authority (CASA), has acknowledged the privacy concerns that drones engender, but views privacy as an area outside of its remit, and instead within the powers of the federal Privacy Commissioner. So far, the Privacy Commissioner has not issued any official Guidance as to how Australian privacy laws might apply to drone use. This contrasts with its UK counterpart, the Information Commissioner’s Office, which updated its Guidance to CCTV operators to include advice on drones, including practical steps to implementing privacy by design and providing information to passers-by about drone use in a particular area. Australia’s approach also contrasts with other countries in the Asia Pacific region such as Hong Kong, whose Office of the Privacy Commissioner for Personal Data also published Guidance on CCTV Surveillance and Use of Drones in 2015. However Singapore has taken a similar approach to Australia: it has introduced specific regulations for drone safety but nothing specific on privacy issues. Thailand has also introduced laws regarding drone use, which include a provision that drones should not be flown in a way which violates the privacy rights of other people.
One large impediment to the application of current Australian privacy laws to civilian drone activity is the $3 million turnover requirement. Accordingly these laws would not apply to much individual and small business use of drones. Furthermore, police or military drone activity is also likely to be exempted from the Privacy Act’s application.
The Australian House of Representatives Standing Committee on Social Policy and Legal Affairs did issue a report in July 2014 on air safety and privacy aspects of drones. The report included various recommendations for the Australian Government including to legislative against ‘privacy-invasive technologies’ but so far the Government has not taken any action. However, the Australian Parliament may be considering drone issues again, with discussion of a Senate Inquiry into drone use late this year, although reports suggest that its focus will be on air safety and potential industrial applications of drones in agricultural, as opposed to privacy.
Driverless cars and their regulation are a topical issue throughout the world, including the Asia Pacific region. Singapore’s Ministry of Transport set up a Committee on Autonomous Road Transport for Singapore (CARTS) to oversee the development and deployment of driverless cars in that country, including their interaction with legal and regulatory framework. China is also reportedly in the process of formulating rules for testing driverless cars, and Japan has also been considering the extent to which its legal and regulatory frameworks will need to be changed to accommodate driverless cars.
In Australia, a joint New South Wales Standing Committee on road safety released a report in September 2016 on driverless vehicles and road safety, which included an acknowledgement of privacy and data issues arising from driverless cars and the data systems which they utilise. It considered that the APPs would likely apply to driverless cars if they are found to generate personal information. However, questions remain as to whether certain types of data generated by driverless cars would indeed constitute ‘personal information’ for the purposes of the Privacy Act and APPs. The NSW Committee also acknowledged ‘outstanding issues’ with the existing regulatory framework for privacy in Australia, including the exemptions for small businesses and law enforcement activities.
The Australian National Transport Commission has also just released a report containing its recommendations for regulatory reforms for automated road vehicles. One of the recommendations is for the NTC to develop options for managing government access to the data collected by driverless cars which should have regard to users’ privacy interests as well as road safety, network efficiency and efficient traffic law enforcement. However, the NTC does seem to consider the privacy laws in place as sufficient and not in need of any reform at the current time, at least vis-à-vis private sector organisations involved in autonomous vehicles accessing data. But it does recommend that automated driving systems provide the highest level of anonymity and privacy protection for drivers and occupants, and that current exemptions for certain government agencies in the Privacy Act may have to be revisited in the event automated vehicle data renders individuals reasonably identifiable.
The implementation of autonomous transportation so far in Australia, in the form of drones and the emerging driverless cars, has raised privacy issues and engendered calls for reform to privacy laws, yet in practice so far none have been forthcoming.
The fact that privacy concerns are acknowledged by the road and transport authorities in their consideration of driverless cars is to be welcomed, given the early stage of deployment. The possibility thus remains that these concerns may be taken into account in any subsequent regulatory measures. However, if the experience with drones is to be followed, then all that may happen is that these privacy concerns and risks are acknowledged, but then nothing is done to address them.
There also appears to be a growing awareness of privacy and data security issues in the Australian automotive industry, which is also to be welcomed, since these considerations must also be taken on board by those developing and selling the technology. While not specifically addressing privacy concerns, members of the drone industry in Australia have expressed their disapproval of the new CASA rules as not ensuring safety. If adequate government rules and regulations protecting privacy in the use of drones and driverless cars are not forthcoming, then it may be through industry self-regulation and market forces that the Australian public’s privacy and safety is best protected.
Yet in any event, while privacy is at least being spoken about as regards these developments in AI and automation in Australia, more action needs to be taken by both government authorities and private sector actors developing and implementing these systems to ensure citizens’ privacy is properly protected.
This feature was written exclusively for Digital Asia Hub. For permission to republish or for interviews with the author please contact Dev Lewis. This article is based on her working paper ‘Intelligent Laws for Intelligent Vehicles? An Appraisal of Australia’s Approach to Automation’.
- AI in Australian vehicles – how is privacy faring so far? - December 2, 2016