Government Pledge to Demystify Automated Decision-Making

In a push to improve data transparency and safeguard privacy, the Australian government has set out its intentions to overhaul the landscape of automated decision-making and data protection.

In a response [pdf]  to a two-year-long review [pdf]  of the Privacy Act, it promised to shed light on the often opaque world of automated decisions while simultaneously cracking down on the malicious re-identification of sensitive information.

Attorney-General Mark Dreyfus has given his stamp of approval to a portion of the 116 proposals presented by his department during the review of the Privacy Act. Out of these, 38 have garnered full agreement, with plans to enshrine them into law in the coming year. Another 68 proposals have been deemed "agreed in principle," necessitating further consultations, while 10 have been acknowledged and noted.

The forthcoming amendments to the Privacy Act will define "types of personal information that will be used in substantially automated decisions" that impact "an individual’s rights." Moreover, they will establish "a right to request meaningful information about how automated decisions are made." The government emphasizes that this information should be free of jargon and readily comprehensible, all while safeguarding commercially sensitive details.

The Attorney General plans to “introduce a right for individuals to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made. Entities will be required to include information in privacy policies about the use of personal information to make substantially automated decisions with legal or similarly significant effect. This proposal should be implemented as part of the broader work to regulate AI and ADM, including the consultation being undertaken by the Department of Industry, Science and Resources.”

“This would include decisions on denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and healthcare services, or access to basic necessities such as food and water,” the government response said.

These reforms are seen as a response to the Royal Commission's recommendations regarding Robodebt. The Commission urged the implementation of a legal framework to scrutinize government agencies' use of automated decision-making systems, coupled with the establishment of an enforcement authority.

To ensure transparency, individuals affected by automated decisions will have a clear path to review and comprehend the implications of these decisions. The process will be explained in plain language, with business rules and algorithms made available for independent expert scrutiny.

In addition to transparency measures, a regulatory body will be tasked with monitoring and auditing automated decision-making processes, assessing their technical aspects, fairness, avoidance of bias, and client usability.

In late 2022, the government bolstered data protection by imposing increased civil penalties for organizations facing "serious" or "repeated" privacy breaches. However, the specifics of which organizations these penalties will apply to, especially regarding the exemption for around 2.3 million small businesses under the Australian Privacy Principles, remain uncertain. The introduction of a tort of serious privacy invasion is also under consideration.

Nonetheless, the government intends to introduce criminal penalties for "malicious re-identification," targeting those who intend to harm others or gain an illegitimate advantage through such actions. Defining the terms of de-identification and re-identification is still to be done.

Acknowledging a gap in the current framework, the government agrees that the Office of the Australian Information Commissioner should offer guidance to entities on taking reasonable steps to secure personal information and to destroy or de-identify it.

While the government acknowledges in-principle that entities should adhere to a set of baseline privacy outcomes aligned with the Government's 2023–2030 Australian Cyber Security Strategy, the specifics of this alignment are yet to be finalized.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community,” Commissioner Falk said.