CRIM ASSIGNMENT 2000 Words Plagiarism Free
DATE DOWNLOADED: Mon Jan 24 22:57:17 2022SOURCE: Content Downloaded from HeinOnline
Citations:
Bluebook 21st ed.
Melissa de Zwart, Sal Humphreys & Beatrix Van Dissel, Surveillance, Big Data and
Democracy: Lessons for Australia from the US and UK, 37 U.N.S.W.L.J. 713 (2014).
ALWD 7th ed.
Melissa de Zwart, Sal Humphreys & Beatrix Van Dissel, Surveillance, Big Data and
Democracy: Lessons for Australia from the US and UK, 37 U.N.S.W.L.J. 713 (2014).
APA 7th ed.
Zwart, M., Humphreys, S., & Dissel, B. (2014). Surveillance, Big Data and Democracy:
Lessons for Australia from the US and UK. University of New South Wales Law Journal,
37(2), 713-747.
Chicago 17th ed.
Melissa de Zwart; Sal Humphreys; Beatrix Van Dissel, "Surveillance, Big Data and
Democracy: Lessons for Australia from the US and UK," University of New South Wales
Law Journal 37, no. 2 (July 2014): 713-747
McGill Guide 9th ed.
Melissa de Zwart, Sal Humphreys & Beatrix Van Dissel, "Surveillance, Big Data and
Democracy: Lessons for Australia from the US and UK" (2014) 37:2 UNSWLJ 713.
AGLC 4th ed.
Melissa de Zwart, Sal Humphreys and Beatrix Van Dissel, 'Surveillance, Big Data and
Democracy: Lessons for Australia from the US and UK' (2014) 37 University of New
South Wales Law Journal 713.
MLA 8th ed.
Zwart, Melissa de, et al. "Surveillance, Big Data and Democracy: Lessons for
Australia from the US and UK." University of New South Wales Law Journal, vol. 37,
no. 2, July 2014, p. 713-747. HeinOnline.
OSCOLA 4th ed.
Melissa de Zwart, Sal Humphreys & Beatrix Van Dissel, 'Surveillance, Big Data and
Democracy: Lessons for Australia from the US and UK' (2014) 37 UNSWLJ 713
Provided by:
Deakin University Library
-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information Thematic: Surveillance, Big Data and Democracy
SURVEILLANCE, BIG DATA AND DEMOCRACY:
LESSONS FOR AUSTRALIA FROM THE US AND UK
MELISSA DE ZWART,* SAL HUMPHREYS** AND BEATRIX VAN DISSEL***
In the era of big data, where people find themselves surveilled in ever more
finely granulated aspects of their lives, and where the data profiles built from an
accumulation of data gathered about themselves and others are used to predict as
well as shape their behaviours, the question of privacy protection arises
constantly. In this article we interrogate whether the discourse of privacy is
sufficient to address this new paradigm of information flow and control. What we
confront in this area is a set of practices concerning the collection, aggregation,
sharing, interrogation and uses of data on a scale that crosses private and public
boundaries, jurisdictional boundaries, and importantly, the boundaries between
reality and simulation. The consequences of these practices are emerging as
sometimes useful and sometimes damaging to governments, citizens and
commercial organisations. Understanding how to regulate this sphere of activity
to address the harms, to create an infrastructure of accountability, and to bring
more transparency to the practices mentioned, is a challenge of some complexity.
Using privacy frameworks may not provide the solutions or protections that
ultimately are being sought.
This article is concerned with data gathering and surveillance practices, by
business and government, and the implications for individual privacy in the face
of widespread collection and use of big data. We will firstly outline the practices
around data and the issues that arise from such practices. We then consider how
courts in the United Kingdom ('UK') and the United States ('US') are attempting
to frame these issues using current legal frameworks, and finish by considering
the Australian context. Notably the discourse around privacy protection differs
significantly across these jurisdictions, encompassing elements of constitutional
rights and freedoms, specific legislative schemes, data protection, anti-terrorist
and criminal laws, tort and equity. This lack of a common understanding of what
is or what should be encompassed within privacy makes it a very fragile creature
indeed.
* Associate Professor, Adelaide Law School, University of Adelaide. ** Senior Lecturer, Discipline of Media, University of Adelaide. *** Research Assistant, Adelaide Law School, University of Adelaide.
2014 713 UNSW Law Journal
On the basis of the exploration of these issues, we conclude that current laws
are ill-equipped to deal with the multifaceted threats to individual privacy by
governments, corporations and our own need to participate in the information
society.
I PRACTICES
In this Part, we consider how information about people is now subjected to
new practices brought about through the networked digital communications that
have become prevalent in the lives of most people.
'[T]he power of personal information lies at the heart of surveillance.
Surveillance can be described as 'the focused, systematic and routine attention to
personal details for purposes of influence, management, protection or direction.' 2
In Deleuzian terms, in the surveillance society, surveillance (and therefore
control) is a cumulative process of interlocking networks and 'relies on historical
data to forge new visibilities.' 3 A key aspect of this new 'age of surveillance' is
lack of clear differentiation between surveillance by (or on behalf of)
governments and that conducted by commercial entities. 'Public- and private-
sector surveillance are intertwined - they use the same technologies and
techniques, they operate through a variety of public/private partnerships, and
their digital fruits can easily cross the public/private divide.' 4 Due to the
proliferation of services, and the complexity of regulatory regimes, agencies
increasingly seek to automate their decisions. Automated systems are thought to
ensure consistent decisions as the rules are interpreted in the same way in every
case. 6 Whether the algorithmic rules and the available data upon which the rules
are based are accurate is often obscured behind a discourse of technological
objectivity.
The inferential techniques used to analyse the information can provide
accurate and timely insights into complicated issues. However, as Citron
observes, the 'opacity of automated systems shields them from scrutiny' as
1 Neil M Richards, 'The Dangers of Surveillance' (2013) 126 Harvard Law Review 1934, 1953. 2 David Lyon, Surveillance Studies: An Overview (Polity Press, 2007) 14. 3 Karl Palmas, 'Predicting What You'll Do Tomorrow: Panspectric Surveillance and the Contemporary Corporation' (2011) 8 Surveillance & Society 338, 342, citing Gilles Deleuze, 'Postscript on the Societies of Control' (1992) 59 October 3, 5-6. 4 Richards, above n 1, 1958. 5 Danielle Keats Citron, 'Technological Due Process' (2008) 85 Washington University Law Review 1249, 1258; James Grimmelmann, 'Regulation by Software' (2005) 114 Yale Law Review 1719, 1734. 6 See Citron, above n 5, 1253 citing William D Eggers, Government 2.0: Using Technology to Improve Education, Cut Red Tape, Reduce Gridlock, and Enhance Democracy (Rowman & Littlefield Publishers, 2005) 113. 7 David Bollier, 'The Promise and Peril of Big Data' (Aspen Institute, 2010) 2.
714 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
'citizens cannot see or debate these new rules',' and algorithmic decision-making
based on data raises issues of 'technological due process'.'
A Collection
Data collection has become almost ubiquitous -it is carried out in public
spaces and in private spaces. People sometimes volunteer their information and
sometimes it is harvested from their actions without them knowing. Thus a
person may fill out a form online and give information about themselves to a
commercial or government organisation -usually in exchange for some kind of
goods or services. However, volunteering this information is not necessarily a
sign that they have consented to the ways in which it is used. As Solove points
out, the downstream uses of data may not be known to the person, particularly as
their data may be aggregated with other data over time." The privacy policies of
many collecting sites often include terms that indicate they share information
with third parties and cannot control what those third parties do with the
information. 12 Control of its uses is basically lost at the point of sharing.
Interestingly, the people who hold and deploy the data may not know its uses if it
is subjected to algorithms that interrogate it using automated and computationally
generated processes -a practice discussed further below.
Data can also be collected involuntarily or covertly in many places and
through many practices. Public places are not only under surveillance through
technologies such as closed-circuit television ('CCTV') cameras, but also
increasingly through scanning technologies which, for instance, may collect data
from peoples' mobile phones as they pass through a space. 13 Phones may be open
through Bluetooth and wi-fl networks. A phone that is automatically scanning for
a wireless network as a person walks through a mall can be read for information
about many other activities - global positioning system ('GPS') location data
may be read for information about where that person has been, contact lists may
be harvested and so on. Radio frequency identification ('RFID') tags may be
8 Citron, above n 5, 1254. 9 Ibid 1258. 10 Alice E Marwick, 'How Your Data Are Being Deeply Mined' (2014) 61(1) New YorkReview ofBooks . 11 Daniel Solove, 'Introduction: Privacy, Self-Management and the Consent Dilemma' (2013) 26 Harvard Law Review 1880, 1889-90. 12 For instance, the privacy policy on the website for popular games company Blizzard contains the following statement: 'Please be aware that we cannot control the activities of third parties to whom we provide data, and as such we cannot guarantee that they adhere to the same privacy and security procedures as Blizzard.': Blizzard Entertainment, Privacy Policy (2014) . 13 Mark Burdon, 'Mobile Phone Tracking: It's Not Personal', The Conversation (online), 11 March 2014 .
2014 715 UNSW Law Journal
embedded in clothing purchases, giving off readable information about
purchasing choices and tastes.14
What have traditionally been thought of as private places and interactions
have also become the source of much data gathering. Governments and
commercial organisations collect data from phone calls, online interactions of
both a social and a commercial nature and so on. Most people are not voluntarily
giving up this data, but it is almost impossible to prevent its collection. 15
B Aggregation
The collection of individual data with respect to one phone call or one
website visit may not appear to be a particularly sinister experience (and in
fact we are used to being regularly warned about 'cookies' collecting
information when we access a website). 16 However, even information regarding
one transaction may reveal a lot about the customer (for example, calling
hotlines dealing with domestic violence, suicide, depression or drug addiction). 17
However, it becomes an even more troubling experience when the data trail that
we leave is collected and aggregated from a variety of different sources, both
online and offline." The aggregation of data is performed both by commercial
and government agencies and can provide a wealth of detail regarding personal
habits, preferences, relationships and social networks. It collapses the divides that
all people create between different areas of their lives." We perform different
aspects of ourselves in different contexts - we tailor our behaviour for work
differently than we do for home, or for our friends, and so on. 20 The aggregation
of data represents a loss of control of our carefully managed identities, collapsing
the boundaries between private and public personas.
14 See generally Whitfield Diffie and Susan Landau, 'Communications Surveillance: Privacy and Security at Risk' (2009) 52(11) Communications oftheACM42, 47; Marwick, above n 10. 15 Diffie and Landau, above n 14; Marwick, above n 10. 16 A 'cookie' is a small piece of data which records and uses certain information regarding the user, such as authentication, transaction history or order details. 17 Edward W Felten, 'Declaration of Professor Edward W Felten', Submission in American Civil Liberties Union v Office ofthe Director ofNational Intelligence, 13-cv-03994 (WHP), 26 August 2013, 13-14. See also Omer Tene, 'What Google Knows: Privacy and Internet Search Engines' [2008] Utah Law Review 1433, 1442-9,1458. 18 Edward W Felten, 'Declaration of Professor Edward W Felten', Submission in American Civil Liberties Union v Office ofthe Director ofNational Intelligence, 13-cv-03994 (WHP), 26 August 2013, 17 [48] (emphasis in original):
Analysis of metadata on this scale can reveal the network of individuals with whom we communicate- commonly called a social graph. By building a social graph that maps all of an organization's telephone calls over time, one could obtain a set of contacts that includes a substantial portion of the group's membership, donors, political supporters, confidential sources, and so on. Analysis of the metadata belonging to these individual callers, by moving one 'hop' further out, could help to classify each one, eventually yielding a detailed breakdown of the organization's associational relationships.
19 danah boyd, 'Facebook's Privacy Trainwreck: Exposure, Invasion, and Social Convergence' (2008) 14 Convergence: The International Journal ofResearch into New Media Technologies 13, 18. 20 Ibid; Erving Goffman, The Presentation ofSelfin Everyday Life (Anchor Books, 1959).
716 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
Our personal information has become commercially valuable. We do not reap
the monetary benefits of commercial exchange in any tangible way, but our data
is bought and sold by companies which exist solely to trade in the traces we leave
of ourselves. They sell to other commercial organisations and to governments.
The aggregation and sharing of data is not something that is in the control of the
person whose data it is. It not only represents a loss of control, but as Bossewitch
and Sinnreich point out, it is almost impossible to reverse the process 21 -to suck
back data, to have it removed from a record of you that has proliferated to the
point where you will never know how many instances of that data exist.
A further aspect of the aggregation and sharing of data is that one person's
data is aggregated with other peoples' data -often in large sets of anonymised
data. Through a series of processes discussed below, a personal data profile
comes to be based not just on that person, but also on 'people like that person' as
identified through these large scale anonymised data sets. 22
Surveilling people's personally generated data without their knowledge also
raises ethical concerns about the threat to intellectual freedom and privacy: how
it 'affects the power balance between individuals and those who are watching',
and the risks of 'harmful uses of sensitive information'.2
C Interrogation
A key aspect of this accumulation of data from multiple sources over long
periods of time is that the data sets become so large as to be unmanageable. The
'infoglut' is beyond the comprehension of a single person. 24 The interrogation of
the data at this scale is done rather by machines and algorithms. 25 This is not to
say that people are not involved in the process of interrogation - people are
responsible for writing the algorithms initially, for setting up the database
categories that define how to think about what is important and what is not (a
form of knowledge creation) and for 'cleaning up' the data to make it ready for
the database. 26 Thus understanding the large datasets becomes the domain of
those who create the algorithms. And algorithms themselves perform the task of
pattern recognition on those data sets. How we become known through this
21 Jonah Bossewitch and Aram Sinnreich, 'The End of Forgetting: Strategic Agency beyond the Panopticon' (2012) 15 New Media & Society 224, 226. 22 Tene, above n 17, 1458. 23 Richards, above n 1, 1945. Further discussion of these issues: at 1945-58. 24 See Mark Andrejevic, Infoglut: How Too Much Information Is Changing the Way We Think and Know (Routledge, 2013). 25 Tarleton Gillespie, 'The Relevance of Algorithms' in Tarleton Gillespie, Pablo I Boczkowski and Kirsten A Foot (eds), Media Technologies: Essays on Communication, Materiality, and Society (MIT Press, 2014) 167. 26 See ibid 169-72.
2014 717 UNSW Law Journal
process, how a personal profile of 'sufficient accuracy'27 is generated, is to some
extent based on the 'tyranny of the pattern'. 28
More interesting still, from the point of view of regulation, is that algorithms
can be programmed to 'learn' as they go. Machine based learning means that
while a programmer may write the initial algorithm to interrogate the data, the
algorithm then develops quite free from human intervention, creating its own
investigations based on the patterns it recognises within the big data sets. Thus
one person's profile is arrived at through processes of interrogation opaque even
to the programmer.29
The data profiles (which are dynamic rather than static, as the accumulation
and interrogation of data never stops) will never be a direct correlation to
our 'real' selves. Decisions that we make that have been captured in data form
can be de-contextualised and misinterpreted, motivations for particular actions
are never explained or understood by the recording of them, and various things
about us still escape capture. But this is not the only reason our profiles may be
erroneous or misleading. Our profiles are often the result (as mentioned above) of
the aggregation of our data with other peoples' data. We have been recognised
through algorithms as being 'like' a variety of other people, and those peoples'
choices and behaviours are absorbed into our profile as we are absorbed
into theirs. 30 Furthermore, as Braman points out, there are practices designed
to protect peoples' privacy, for example wherein aspects of their data
are deliberately falsified before being shared in order to make the data
more anonymous.3 However, in the process of re-identification, which often is
performed in a different context, such falsifications are not known or addressed.
Our records have been tainted deliberately (ironically for our protection) but it is
almost impossible to redress this misinformation downstream, where our loss of
control of our data is almost complete.
An Australian Communications and Media Authority ('ACMA') report on
how Australians manage their digital identities also noted that people deliberately
falsify information about themselves as a privacy protection measure. 32 Their
research found that 47 per cent of the Australians surveyed deliberately provided
false or misleading information about themselves as a form of 'defensive
inaccuracy'. 33 Where information is demanded by a website in order to gain
access to that site and its services, people often choose to lie in an effort to
27 Ibid 174. 28 See Nimrod Kozlovski, 'Designing Accountable Online Policing' in Jack M Balkin et al (eds), Cybercrime: Digital Cops in a Networked Environment (New York University Press, 2007) 107, 115, discussing the 'tyranny of patterns' over accuracy. 29 See Gillespie, above n 25, 172. 30 Richards, above n 1, 1939. 31 Sandra Braman, 'Tactical Memory: The Politics of Openness in the Construction of Memory' (2006) 11(7) FirstMonday . 32 ACMA (Cth), Managing Your Digital Identity: Digital Footprints and Identities Research Short Report 1 (2013)6-8. 33 Ibid 6-7.
718 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
protect their identities. Thus that information, which is pulled into the data
stream, will also feed into inaccuracies in a person's data profile that may or may
not be damaging once that data is put to use in different contexts (say for credit
applications, housing applications, or criminal profiling). Algorithms find
patterns; they do not ask questions about the meaning of data or why particular
choices are made by people. 34
D Prediction
The uses made of data profiles that have been constructed through the above
practices are consequently of great importance. Commercial uses such as selling
profiles to advertisers are well established and in some ways can be seen as an
extension of the practice of selling media audiences to advertisers which has
sustained media businesses for many decades. The difference now is the more
finely granulated targeting of advertisements to individuals. The sharing of
profiles with government agencies, particularly security agencies is more
controversial. It can be seen as a way for security agencies to circumvent the
accountability and transparency mechanisms in place for the surveillance of
citizens by 'outsourcing' the collection of data to commercial organisations,
which also are often global in their reach and can ignore jurisdictional boundaries
that restrict government activities. 35 The state thus has a vested interest in
bolstering the power of corporations to gather information. While European data
protection laws may attempt greater constraints on corporate data collection and
storage, 36 the US government takes a very different stance toward regulating
corporate practices. The revelations by Edward Snowden of the National Security
Agency ('NSA') programs in 2013 involving big data give ample explanation as
to how and why this stance is taken, as discussed below.
Of equal importance though, is the turn to prediction as a key
mode of operation. 37 What big data offers both commercial and governmental
organisations therefore is the seduction of predicting the future through the
pattern recognitions offered by the algorithms interrogating the data: '[t]he
promise of predictive analytics is to incorporate the future as a set of anticipated
data points into the decision-making process'.3
34 See Andrejevic, above n 24, 1-41. 35 See, eg, Michael D Birnhack and Niva Elkin-Koren, 'The Invisible Handshake: The Reemergence of the State in the Digital Environment' (2003) 8(6) Virginia Journal ofLaw and Technology 1, 17 [41]. 36 See, eg, Tene, above n 17, 1437, 1459-60. See further discussion below. 37 See, eg, Edward W Felten, 'Declaration of Professor Edward W Felten', Submission in American Civil Liberties Union v Office ofthe Director ofNationallntelligence, 13-cv-03994 (WHP), 26 August 2013, 20-1 [61] (citations omitted):
Researchers have discovered that individuals have unique calling patterns, regardless of which telephone they are using, they have figured out how to predict the kind of device that is making the calls (a telephone or a fax machine), developed algorithms capable of predicting whether the phone line is used by a business or for personal use, identified callers by social group (workers, commuters, and students) based on their calling patterns, and even estimated the personality traits of individual subscribers.
38 See Andrejevic, above n 24, 29.
2014 719 UNSW Law Journal
Here we see the boundary between reality and simulation being crossed and
recrossed as data is de-identified, aggregated, and interrogated by algorithms
searching for patterns that might not otherwise have been noticed by human
inquiry. Data is then reassembled into profiles that, while they look like a
complete picture of someone, actually represent the aggregation of data from
both that person and people the algorithms identify as like that person. Many
aspects of data about that person may be left out, but predictions are made
nonetheless, about their future behaviour. 39 What is interesting and worrying
about this process is that the constitution of such profiles is opaque.
Pattern recognition is about correlations rather than causal relations.
Algorithms notice correlations in data fragments without ever attempting to
contextualise or explain. 40 They might notice for instance, that men who buy
Schick razors are more likely to vote Republican, but they will not be able to
provide an explanation. Thus if you are a man buying a Schick razor, the
algorithm might predict that you also vote Republican. This is not based on any
real understanding of you and your actions and motivations.
What needs to be understood is that this system of profiling and prediction is
dynamic. As the data gathered is constantly updating, the algorithms may, upon
the input of further data, find this correlation no longer holds (it does not care
why), and so at a different point in time, will not predict that, as a Schick-buying
man, you will vote Republican. Thus the predictions are always based on
snapshots in time that could not be described as stable. 41 While this may not be a
big issue in relation to marketing and the harms to an individual in their life as a
consumer, it definitely takes on a problematic flavour if we consider criminal
profiling or terrorist profiling. 42 If an algorithm, based on pattern recognition,
constructs a profile of a person based not only on their own actions but the data
gathered from other people whom the algorithm has determined are like that
person (due to the choices it attributes to each), and at a given point in time,
assesses that person as likely to commit a criminal act, or likely to be a terrorist,
it may, sometime later, and with additional data, change its categorisation. As
Amoore suggests, a profile could send up a flag one day but not the next. 43 The
algorithms may, upon further calculations, take that person out of the category of
likely criminal/terrorist. The predictions are not based on what will really
happen. They are predictions, not facts. And yet, security agencies seeking to
prevent acts, rather than address or respond to actual events, may well be
seduced into treating these profiles and predictions as real. And if a person
happens to be targeted through profiling based on a moment when they were
39 Richards, above n 1, 1957, discussing use of consumer data by Target stores. 40 Gillespie, above n 25, 174. 41 See, eg, John Cheney-Lippold, 'A New Algorithmic Identity: Soft Biopolitics and the Modulation of Control' (2011) 28(6) Theory, Culture & Society 164, 169-70. 42 See, eg, Louise Amoore, 'Data Derivatives: On the Emergence of a Security Risk Calculus for Our Times' (2011) 28(6) Theory, Culture & Society 24, 32. 43 Ibid.
720 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
algorithmically predicted to belong to a category, it will be very difficult to find
some form of redress. Using machine generated calculations means that even the
people who write the algorithms do not really know what the algorithm was
recognising and aggregating at the moment in time when it categorised a person.
The algorithm will likely have morphed into something different by the time
redress is sought. 44
If we consider what it might take to challenge inaccuracies in a data profile -
particularly if that profile has been used in a way that is detrimental to a person -
the process is not the same as challenging inaccuracies of data kept about a
person's actual life actions. That would be about the data collection (and
possibly archiving) on a person. As Crawford and Schulz suggest, there needs to
be a means to 'audit the data that was used to make a determination' on
someone, 45 which means data from a range of sources, not all of them from the
actual person. A decision based on a data profile is a decision based on
predictions derived from that person and many other people as well. The data
profile represents many different categorisations that have been made across a
range of data. Predictive algorithms, having found patterns across large sets of
data, and having determined correlations that may or may not hold, might
categorise a person without any regard to their actual behaviour, but more on
who the algorithm predicts they are. 46 But as Andrejevic points out, although
people are behind the process of deciding what is important to notice and what
can be ignored at some point, the algorithms are also programmed to learn,
machinically, and transform as they proceed. 47 Thus the chances of transparency
and accountability become exceedingly remote as even the programmers who
write the algorithms lose track of what those algorithms are actually calculating
and interrogating.
II CHALLENGES CREATED BY CURRENT DATA PRACTICES
From this brief overview of some aspects of current data collection and usage
practices it can be seen that regulation of this area is a difficult challenge. Privacy
regulation through privacy statutes, common law and data protection laws links
an individual to their records, protecting the records in order to protect the
interests of the related individual. Big data seemingly severs the individual from
44 Gillespie, above n 25, 172. 45 Discussing 'data due process': Kate Crawford and Jason Schultz, 'Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms' (2014) 55 Boston College Law Review 93, 117. See also Sara M Watson, 'Data Doppelgangers and the Uncanny Valley of Personalization', The Atlantic (online), 16 June 2014 : 'We need to demand more ways to keep our data doppelgangers in check.' 46 See Gillespie, above n 25, 173-4. 47 See Andrejevic, above n 24, 1-41.
2014 721 UNSW Law Journal
their data, thus removing the justifications for protection under traditional
concepts of privacy. However, the mass collection of seemingly de-identified
data may in fact now result in the generation of more detailed and more accurate
profiles of a larger number of individuals than more targeted surveillance of the
individuals could produce. 48 The impact of the collection and use of metadata
must therefore be assessed through a different lens.
Privacy regulation in Australia deals primarily with restricting the collection,
use of and access to particular categories of information about a person by the
public, government or corporations. 49 But in the space of big data, many of the
fixed boundaries around information that are part of how privacy regulation can
structure a regulatory system using gates and walls, are simply not found.
Algorithms voraciously travel across many boundaries. The processes involved
in data analytics, predictive analytics and the creation of data profiles tend to
exceed the forms and assumptions of privacy regulation. Algorithms may create
new categories on the fly, thus exceeding regulatory mechanisms that attempt to
quarantine content from use through categories. 0 The idea of consent becomes
unworkable in an environment where it is not known, even by the people
collecting and selling data, what will happen to the data - one cannot give
meaningful consent to an unknown use of data downstream in the process.
Further, the notion of consent is compromised where the user must consent to
disclose certain personal data in order to use (increasingly ubiquitous) services
such as apps, social media, search engines, or email. For example, internet radio
app Pandora now claims that an algorithm based on its subscribers' voluntarily
disclosed music preferences and election results enables it to predict users'
voting preferences with great accuracy. 52 Pandora users are required to disclose
48 See generally Edward W Felten, 'Declaration of Professor Edward W Felten', Submission in American Civil Liberties Union v Office ofthe Director ofNational Intelligence, 13-cv-03994 (WHP), 26 August 2013, 22 [64]:
The privacy impact of collecting all communications metadata about a single person for long periods of time is qualitatively different than doing so over a period of days. Similarly, the privacy impact of assembling the call records of every American is vastly greater than the impact of collecting data about a single person or even groups of people. Mass collection not only allows the government to learn information about more people, but it also enables the government to learn new, previously private facts that it could not have learned simply by collecting the information about a few, specific individuals.
49 See generally Privacy Act 1988 (Cth). This relates to personal information disclosed by individuals or collected about the individual for the purposes of transacting with that agency, department, business or company in some way. It would not apply to calculations or algorithmic assumptions based on anonymous data. Similar limitations apply in privacy laws in the UK and US, see: Human Rights Act 1998 (UK) c 42, sch 1 art 8; Stored Communications Act, 18 USC §§2701-12 (1986); Electronic Communications Privacy Act of 1986, 18 USC §§2510-22. 50 Crawford and Schultz, above n 45, 106. 51 See, eg, Solove, above n 11, 1881. 52 Elizabeth Dwoskin, 'Pandora Thinks It Knows if You Are a Republican', The Wall Street Journal (online), 13 February 2014 .
722 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
personal preferences and information in order to facilitate targeted advertising
and thus subscribe to the 'free' service.
Solove points out that regulation based on consent is ineffective when, as is
the case with data gathering currently, the scale of the exercise is unmanageable,
the downstream uses are difficult to assess, and assessing harm is also difficult
when harm can be cumulative, 53 and social rather than individual (for instance in
the case of racial profiling). One cannot seek to have the record corrected if the
data identified as incorrect has been proliferated across an unknown number of
nodes of the network and may be working in any number of profiles -both of the
person and of other people. 54 The proliferation of sites where data about a person
are held, and the possibilities of it being archived over and over make the idea of
redress on this level an impossibility. Ironically, as Amoore points out,
algorithms do not need to archive data or store it.5" They are the calculating
processes that look at data and move on -making associative connections and
changing constantly in iterative processes that suggest constant dynamism -
rather than fixity and static categories that can be grasped and controlled by
regulatory mechanisms of the kind seen in current privacy regimes. Crawford and
Schulz suggest that rather than attempting to erect walls around categories
(which algorithms will change or discard anyway) the idea of regulation must
instead focus on the processes involved in establishing algorithms and the use of
the resulting conclusions. 56 Although this notion of due process, the right to
correct the record, and proper disclosure of both the use of predictive data
derivatives and disclosure of the sources those predictions are based upon, seems
more plausible than focusing on content, in reality even these measures of
procedural fairness would be difficult to implement.
Focussing on processes and uses of both personally identifiable information
and predictive data represents a shift away from privacy protection frameworks
designed to restrict the capture and storage of data, and limit access and uses
based on content categories. These mechanisms seem to be no longer adequate or
appropriate, although the desire for accountability and transparency remain. The
intersection of the discourses of privacy with those of security and risk ensure
that governments find themselves with internal conflicts of interest. Attempts to
minimise risk and to enhance security are often in conflict with obligations to
ensure the privacy of citizens," and many governments seem reluctant to restrict
the former in favour of the latter. As Dean points out, the encroachments of the
53 Solove, above n 11, 1888-90, 1892. 54 See generally Bossewitch and Sinnreich, above n 21, 226. 55 Amoore, above n 42, 33. 56 Crawford and Schultz, above n 45, 106, 109. 57 See Sal Humphreys, 'Predicting, Securing and Shaping the Future: Mechanisms of Governance in Online Social Environments' (2013) 9 International Journal ofMedia and Cultural Politics 247, 252-5.
2014 723 UNSW Law Journal
security arm of government through the normalisation of 'crisis' situations
requiring the overriding of citizen privacy rights is now well established."
We will now turn to the specific legal issues which have recently been
litigated in the US and UK concerning big data.
III LEGAL RESPONSES: US AND UK EXPERIENCES
A Metadata Capture: Section 215 Program and PRISM
The issue of privacy, surveillance and mass data capture came to the
forefront in June 2013 with the revelations by former NSA contractor Edward
Snowden that the US government, through its various agencies, was engaging in
massive scale collection of data from both its own and foreign citizens." This
data collection was occurring in the context of two separate but similar programs:
the first, known as the 'section 215 program' facilitated the collection of
telephony metadata, capturing caller ID, numbers dialed, place of call, duration
and other information, but not including the content of the call. One of
Snowden's first leaks revealed that Verizon, a major US telecommunications
provider, was compelled by order of the Foreign Intelligence Surveillance Court
('FISC') 60 to produce to the NSA daily records of all telephony metadata for
communication between the US and abroad and wholly within the US, including
local telephone calls. 61 In response to these disclosures the US government
confirmed that such a program did in fact exist, pursuant to which 'the FBI
obtains orders from the FISC pursuant to Section 215 [of the USA PATRIOT
Act] 62 directing certain telecommunications service providers to produce to the
58 Mitchell Dean, 'Power at the Heart of the Present: Exception, Risk and Sovereignty' (2010) 13 European Journal of Cultural Studies 459, 464. 59 For a detailed insight into these disclosures and Snowden's actions and motivations, see Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA and the Surveillance State (Penguin Books, 2014). 60 The FISC, established under the provisions of the Foreign Intelligence Surveillance Act, 50 USC §§ 1801-85 (1978) ('FISA'), hears ex parte applications from the US government to authorise domestic electronic surveillance for foreign intelligence purposes. The judges are drawn from the ranks of District Court and the matters are heard in secret, with no public records of proceedings. In the period since 1978 the Court has approved over 20 000 requests and rejected only a handful. As Greenwald notes, its role appears to be more as a 'part of the executive branch rather than as an independent judiciary exercising real oversight': ibid 128. 61 Glenn Greenwald, 'NSA Collecting Phone Records of Millions of Verizon Customers Daily', The Guardian (online), 6 June 2013 . It was quickly revealed that other phone providers were also subject to such orders. 62 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of2001, 50 USC § 1861 ('USA PATRIOTAct').
724 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
NSA on a daily basis electronic copies of "call detail records."' 63 The second of
Snowden's leaks detailed the collection of online user data from major US
technology companies such as Google and Apple, by the government as part of a
program known as 'PRISM'. 64 We can see here the ability of governments to
'outsource' the collection of data to private corporations whose data collection
crosses jurisdictional boundaries with impunity. Again the US government
confirmed the existence of such a program, but claimed that it was targeted only
at non-US citizens, and was authorised under the FISA. 65
Both the section 215 and PRISM programs are designed around the fact that
different legal frameworks apply in the US with respect to surveillance of
'foreign' and 'domestic' persons. 66 Any surveillance of a US person must comply
with constitutional and legal requirements, notably obtaining a warrant.
However, legal restrictions upon surveillance without a warrant do not apply to
non-US persons located outside of the US. Thus two very different surveillance
frameworks exist in theory, but with global networks of communication and the
centrality of the US to the global internet and communication industries, these
boundaries appear to have become very blurred. US citizens were appalled that
their constitutional rights under the Fourth Amendment 67 appeared to have been
violated.
Well before Snowden's revelations, there had been concerns expressed
regarding the data gathering activities of the NSA. In February 2013, the US
Supreme Court handed down its decision regarding a group of lawyers, non-
governmental organisations ('NGOs'), human rights, labour, and media
organisations who sought a declaration that section 1881a of the FISA was
unconstitutional, 68 and a permanent injunction against section 188la-authorised
63 Klayman v Obama, 957 F Supp 2d 1, 10 (D DC, 2013). The case notes the various public statements made by the Office of the Director of National Intelligence following Snowden's disclosures: at 10 n 9. See, eg, James R Clapper, Director of National Intelligence, 'DNI Statement on Recent Unauthorized Disclosures of Classified Information' (Press Release, 6 June 2013) . 64 Glenn Greenwald and Ewen MacAskill, 'NSA Prism Program Taps in to User Data of Apple, Google and Others', The Guardian (online), 7 June 2013 . 65 FISA § 1881a; Dan Roberts, Spencer Ackerman and Tania Branigan, 'Clapper Admits Secret NSA Surveillance Program to Access User Data', The Guardian (online), 8 June 2013 . 66 USA PATRIOTAct, 50 USC §§ 1861, 1881 (2001). 67 United States Constitution amend IV. It establishes:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
68 Clapper vAmnesty International USA, 133 S Ct 1138, 1142 (Alito J). The respondents argued that § 1881 violated the Fourth and First Amendments, art III of the Constitution and the separation of powers principles: at 7 [C].
2014 725 UNSW Law Journal
surveillance. 69 The respondents claimed that their work required them to 'engage
in sensitive and sometimes privileged communications' via 'telephone and email
with their clients, colleagues, sources' and 'other' relevant parties who may be
located outside of the US." They claimed that some of the people with whom
they exchanged information were likely to be targets of surveillance under
section 1881a, including those 'people the Government "believes or believed to
be associated with terrorist organizations," "people located in geographic areas
that are a special focus" of the Government's counterterrorism or diplomatic
effort, and activists who oppose governments that are supported by the United
States Government.' The threat of surveillance compromised their ability to
communicate with their clients and other important sources, chilled their ability
to communicate and required additional measures to protect the confidentiality of
their communications, including travelling overseas to meet face to face, and
other measures. 72
Section 1881a authorises the US Attorney-General and the Director of
National Intelligence to 'acquire foreign intelligence information by jointly
authorising the surveillance of individuals who are not 'United States persons'
and are reasonably believed to be located outside of the US'. 73 Normally, the
approval of the FISC is also required and, as the Supreme Court observed,
surveillance is subject to 'statutory conditions, judicial authorization,
congressional supervision, and compliance with the Fourth Amendment.' 74 The
case revolved around the question of standing, whether the respondents could
establish injury in fact based on their claim that there was a strong likelihood that
their communications would be acquired under section 1881a in the future thus
causing them injury, or alternatively that they were sustaining injury as a
consequence of the fact that the risk of section 188 la-authorised surveillance was
requiring them to take 'costly and burdensome measures to protect the
confidentiality of their international communications.' The Supreme Court held
that the respondents lacked the requisite standing on the basis that they had no
actual knowledge of the government's targeting practices under section 1881a
and that claims of fears of widespread surveillance of the communications were
merely speculative. 76 Further, the Court held the respondents could not establish
that the interception may be authorised under some other provision of FISA, nor
69 Section 1881a was added to FISA by the Foreign Intelligence Surveillance Act of 1978 Amendments Act of2008 Pub L No 110-261, 122 Stat 2436 (2008). 70 ClappervAmnesty International USA, 133 S Ct 1138, 1145 (Alito J). 71 Ibid, quoting App. to Pet. for Cert. 399a. 72 ClappervAmnesty International USA, 133 S Ct 1138, 1145-6 (Alito J). 73 FISA § 1801(i) states that 'United States person' includes US citizens, aliens admitted for permanent residence and certain associations and corporations. 74 ClappervAmnesty International USA, 133 S Ct 1138, 1144 (Alito J). 75 Ibid 1143 (Alito J). 76 Ibid 1143, 1148-50. Eg, the Court cites journalist Christopher Hedges: 'I have no choice but to assume that any of my international communications may be subject to government surveillance, and I have to make decisions ... in light of that assumption': at 1148 (Alito J).
726 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
could they demonstrate that even if the government sought to invoke surveillance
of communications with their foreign contacts 'that the FISC would authorise
such surveillance', that the communications could actually be acquired nor that
their own communications would be caught up in such surveillance." Any costs
incurred by the respondents in attempting to avoid surveillance were based on
their own 'fears of hypothetical future harm that is not certainly impending.'
Justice Breyer filed a dissenting opinion, which concluded that, based on the
nature of the communications engaged in by the respondents, the past conduct of
the government and the capacity to undertake the surveillance, there 'is a high
probability that the Government will intercept at least some electronic
communication to which at least some of the plaintiffs are parties."' It was
therefore wrong to characterise the harm threatened to the respondents as
'speculative' and 'at least some' of the respondents were entitled to standing. 0
Of course, just how 'speculative' these claims were was revealed with
dramatic consequences only a few months later when the government was forced
by Snowden's revelations to confirm its existence and consider how it could
combat the massive anger of its own and foreign citizens, and the consequent
collateral damage it had inflicted on its own technology industry. What had been
merely speculative in February was confirmed as widespread practice in June.
B US Government Responses
The surveillance practices of the US government outlined above were
reviewed in the Report and Recommendations of the President's Review Group
on Intelligence and Communications Technologies: Liberty and Security in
a Changing World, " commissioned by President Obama in August 2013
and released in December 2013. The report was commissioned in response to
public and global pressure brought to bear on the US President regarding how he
would respond to the Snowden revelations, which were having serious fallout for
the US worldwide. However, in addition to the section 215 program and PRISM
revelations, further disclosures continued to flow from Snowden. Not only
was the US now implicated in spying on governments of hostile nations, it had
been caught tapping the phone of German Chancellor Angela Merkel. 82 Further,
several governments allied with the US, including the UK and Australia, were
77 Ibid 1141 (Alito J). 78 Ibid 1151 (Alito J). 79 Ibid 1160. 80 Ibid. 81 President's Review Group on Intelligence and Communications Technologies, Office of the Director of National Intelligence (US), Liberty and Security in a Changing World: Report and Recommendations of The President's Review Group on Intelligence and Communications Technologies (2013) ('Liberty and Security Report'). 82 Ian Traynor, 'Angela Merkel: NSA Spying on Allies Is Not On', The Guardian (online), 25 October 2013 .
2014 727 UNSW Law Journal
implicated in mass surveillance practices, including spying on one another's
citizens. 83
The fact that US technology companies had been the instrument of
widespread user surveillance also generated massive user backlash and a
commercial headache for these companies who depend heavily upon user trust.
The Obama regime was forced into damage control.
The Liberty and Security Report identified a number of principles which
should underpin intelligence collection activities into the future.
'1. The United States Government must protect, at once, two different forms
of security: national security and personal privacy.' 84 This statement highlights
the dualistic nature of the concept of 'security', reflecting both the concepts of
national security and defence against enemies of the United States," and
the articulation in the Fourth Amendment of the right of the people of the
United States 'to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures'. 86 This notion of security has created
significant conceptual problems in defining the scope of the right of privacy. As
Wacks has observed, the inclusion of security against unreasonable searches and
seizures in the Fourth Amendment has manifested in the grafting of notions of
personal autonomy onto the concept of personal privacy. 7 According to Wacks,
this lack of conceptual clarity, contained within the original Warren and Brandeis
thesis on privacy, was further complicated by Prosser's gloss, which added
concepts of personal freedoms, including speech and personal autonomy, to
concepts of confidentiality." Justice Brandeis equated this right of privacy to
both the 'the right to be let alone' and to the essential right of self-fulfilment, as
the capacity to fully and freely express one's thoughts and emotions are a vital
part of an individual's pursuit of happiness." As Wacks points out, this conflates
two entirely different concepts: confidentiality and autonomy." Therefore, there
are tensions within the very concept of privacy as well as in the various roles it is
expected to perform. Thus the wording of the Fourth Amendment complicates
the concept of privacy, posing significant difficulties in articulating a clear,
meaningful and legally enforceable concept of 'privacy'.
83 Bernard Keane, 'Spy versus Spy; Gatekeeper versus Gatekeeper', Crikey (online), 22 November 2013 . 84 Liberty and Security Report, above n 81, 14. 85 Ibid 15. 86 Ibid. 87 Raymond Wacks, Privacy and Media Freedom (Oxford University Press, 2013) 55. 88 Ibid 55-9. See also Samuel V Warren and Louis D Brandeis, 'The Right to Privacy' (1890) 98 Harvard Law Review 193; William L Prosser, 'Privacy' (1960) 48 California Law Review 383; Neil Richards and Daniel Solove, 'Prosser's Privacy Law: A Mixed Legacy' (2010) 98 California Law Review 1887. 89 Olmsteadv United States, 277 US 438, 478 (Brandeis J) (1928). 90 The identification of these concepts in terms of 'security' also gives rise to tension between national security interests and personal privacy, as has recently been recognised in the Liberty and Security Report, above n 81, 43-6. See also Wacks, above n 87.
728 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
'2. The central task is one of risk management; multiple risks are involved,
and all of them must be considered."' In addition to the obvious question of risks
to national security, public officials should consider 'risks to privacy', 'risks to
freedom and civil liberties, on the Internet and elsewhere', risks to the
relationships of the US with other nations, and 'risks to trade and commerce,
including international commerce.' 92 These 'other' risks, it could be argued, were
overlooked (or overridden) by the section 215 and PRISM collection programs. It
appears to be a case of the practical fact that such data can be collected and
therefore it should be collected.
'3. The idea of "balancing" has an important element of truth, but it is also
inadequate and misleading.'9 The determination of the correct nature of the
scope of surveillance could not be determined by a simple balancing exercise
between the two identified forms of security (national and personal). 94 In fact,
some other relevant considerations are also subject to this balancing exercise,
such as: surveillance should not be conducted in order to
punish ... political enemies; to restrict freedom of speech or religion; to suppress legitimate criticism and dissent; to help ... preferred companies or industries; to provide domestic companies with an unfair competitive advantage; or to benefit or burden members of groups defined in terms of religion, ethnicity, race and gender. 5
'4. The government should base its decisions on a careful analysis of
consequences, including both benefits and costs (to the extent feasible).' 96
Application of this final principle appears absent from the implementation,
operation and continuation of the section 215 and PRISM programs. There is a
clear reluctance to forego the access to data which may be relevant to a security
risk or criminal investigation. Rather than seek a warrant for relevant data as a
need arises, all data is captured in the belief of its potential usefulness, and as
noted above, the capture of this mass data set then facilitates downstream
unanticipated (and potentially uncontrolled) uses. Further, studies have
confirmed that far from consisting of unidentified snippets of non-personal data,
telephony metadata 'can be extremely revealing, both at the level of individual
calls and, especially, in the aggregate.' 7 The metadata is easily searchable and
can reveal details regarding an individual's personal circumstances, location,
political, religious and sexual preferences and relationships with others.
91 Liberty Security Report, above n 81, 15. 92 Ibid. 93 Ibid 16. 94 Ibid. 95 Ibid. 96 Ibid. 97 Edward W Felten, 'Declaration of Professor Edward W Felten', Submission in American Civil Liberties Union v Office ofthe Director ofNational Intelligence, 13-cv-03994 (WHP), 26 August 2013, 13 [38]. See also Jonathan Mayer and Patrick Mutchler, MetaPhone: The Sensitivity of Telephone Metadata (12 March 2014) Web Policy .
2014 729 UNSW Law Journal
The Report's 46 recommendations reflect the extensive damage inflicted on
US government and business interests by the Snowden revelations. A number of
the key recommendations will be highlighted here.
Unsurprisingly, the Report does not recommend the abolition of surveillance
and intelligence gathering activities. Rather, the Report begins with the
acknowledgement that the US 'must continue to collect signals intelligence
globally in order to assure the safety of [US] citizens at home and abroad and to
help protect the safety of our friends, our allies, and the many nations with whom
we have cooperative relationships."' However, it does recommend the end of
bulk storage of data under section 215 of FISA and that metadata should be
transferred to a private provider who would store such data for interrogation
by the government as appropriate for national security purposes." Further,
telephone, internet and other service providers should be able to publicly disclose
general information about orders they receive requiring them to provide
information to the government, such as the number of requests received,
categories of information provided and the numbers of users involved. "
Safeguards need to be put in place to ensure that the collection of information
from non-US persons is subject to additional safeguards, including prohibitions
on obtaining information for commercial gain for domestic industries. 01
The Report examines in detail the question of what privacy interests are
implicated by the mass collection of metadata from phone and internet records of
individuals and businesses. 102 Noting that the Fourth Amendment had been
interpreted by the US Supreme Court in a series of decisions in the 1970s to
98 Liberty and Security Report, above n 81, 11. 99 Ibid 25. Recommendation 4 suggests:
as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes. Any program involving government collection or storage of such data must be narrowly tailored to serve an important government interest.
Further, Recommendation 5 suggests 'legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.' 100 See Recommendation 9: ibid 27. 101 The US Government should affirm that surveillance of non-US persons outside of the US:
(1) must be authorized by duly enacted laws or properly authorized executive orders;
(2) must be directed exclusively at the national security of the United States or our allies;
(3) must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries; and
(4) must not disseminate information about non-United States persons if the information is not relevant to protecting the national security of the United States or our allies.
In addition, the US Government should make clear that such surveillance:
(1) must not target any non-United States person located outside of the United States based solely on that person's political views or religious convictions; and
(2) must be subject to careful oversight and to the highest degree of transparency consistent with protecting the national security of the United States and our allies.
See Recommendation 13: ibid 29-30 (emphasis in original). 102 Liberty and SecurityReport, above n 81, 11, chs III-IV.
730 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
allow collection of information voluntarily shared with third parties, the Report
observes the possible emergence of a need to reconsider the approach that
individuals have no 'reasonable expectation of privacy' in this information
(whilst observing that it is not the role of the Report to interpret the Fourth
Amendment in this context, leaving that decision to the Supreme Court). 103 The
continuing validity and scope of application of this line of authority in the digital
era was raised but not resolved in United States v Jones, 104 which concerned the
constitutionality of the surveillance of an individual suspected of drug
trafficking, by attaching a GPS to his car. The Court concluded (by majority) that
the installation of the GPS was a 'search' within the meaning of the Fourth
Amendment, but declined to further consider the argument that such surveillance
was legitimate based on the argument that an individual's movements along
public roads are voluntarily disclosed to third parties in accordance with the logic
of Miller and Smith.' Thus until Miller and Smith are reviewed by the Supreme
Court, they remain good law, and create a low threshold test regarding privacy of
individual information.
The Report acknowledges that the bulk collection of undigested, non-public
personal information about individuals involves serious implications of invasions
of privacy. Essentially people must reveal personal information to banks, phone
companies, health providers and so on in order to participate in modem society,
so the question of whether the person has voluntarily decided to reveal such
information is moot.106 Notably this discussion leaves aside any related questions
regarding the status of disclosures made to social networking sites, now used as a
major conduit of communication. Further, there is a real concern that people are
becoming increasingly aware of the fact that their personal information is being
monitored, collated and used and therefore may be prevented from fully
participating in society as a consequence, contrary to the purposes of the Fourth
and First Amendments. 107
The Report notes the damage that can potentially be caused by aggressive
surveillance practices not only to US businesses, but further to the future
103 See Miller v United States, 425 US 435 (1976) ('Miller') (bank records) and Smith vMaryland, 442 US 735 (1979) ('Smith') (telephone records). The Report notes that these decisions underpin the enactment of s 215 of the USA PATRIOTAct, which authorises the making of orders compelling the production of a large variety of records underFISA: Liberty and Security Report, above n 81, 83-4. 104 132 S Ct 945 (2012). 105 See ibid 957 (Sotomayor J). Eg, Sotomayor J observed:
it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties ... This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. ... I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.
See generally Liberty and Security Report, above n 81, 84-5. 106 Liberty and Security Report, above n 81, 111-12. 107 Ibid 110-12, quoting National Research Council of the National Academy of Science, Protecting Individual Privacy in the Struggle against Terrorists: A Frameworkfor Program Assessment (National Academic Press, 2008) 2-3.
2014 731 UNSW Law Journal
openness of the internet, and even democracy itself."o0 It highlights the large
losses caused to US cloud computing providers due to concerns regarding their
implication in US surveillance, harming US economic growth. "
Further, the US agenda regarding internet freedom has been seriously
undermined by the revelations. Not only does this create the potential for harm to
US internet business interests, but also sustains calls for closed and localised
internet models contrary to US policy on the future of the global internet."o
The concern regarding harm to US internet and technology companies is not
overstated. Snowden's leaked documents included a PowerPoint presentation
prepared for the NSA identifying by name and logo the technology companies,
including Microsoft, Yahoo, Google, Facebook and Apple, that participated in
the PRISM program (this following immediately upon similar revelation
regarding telephone companies)."' The companies issued denials regarding their
involvement in the mass collection of data, but they could not deny that they had
been compelled to provide records to the US Government. 112 They had not
however been allowed to reveal their involvement due to the fact they were
prevented by a court order. This complicity with covert surveillance of global
internet users threatened the very substance of the internet, undermining the
characterisation of the internet and technology companies as the engine of free
speech. Rather the internet could become 'a means of widespread surveillance'. 113
Businesses such as Google base their whole business model on asking their users
to trust them with vast amounts of data, making them very attractive data
sources. However, without that trust their businesses will shrink and possibly
fail: imagine a Facebook or Instagram where people refuse to post any personal
information.
The technology companies went into damage control mode issuing the
Global Government Surveillance Reform statement calling for reform of
government surveillance practices. 114 In particular, they claimed, collection of
108 'In light of the global influence of the United States, any threat to effective democracy in the United States could have negative and far-reaching consequences in other nations as well': Liberty and Security Report, above n 81, 154. 109 Ibid 212. 110 Ibid 213-15. 111 Steven Levy, How the NSA Almost Killed the Internet (7 January 2014) Wired . 112 Greenwald, above n 59, 108-18. 113 Levy, above n I11. 114 Reform Govermment Surveillance, The Principles (2014) ; Open Letter from AOL et al to the US President and Members of Congress, 9 December 2013 . See also Steve Holland and Roberta Rampton, 'Tech Executives Press Barack Obama to Reform NSA Surveillance Practices', The Sydney Morning Herald (online), 18 December 2013 ; Dominic Rushe and Paul Lewis, 'Tech Firms Push Back against White House Efforts to Divert NSA Meeting', The Guardian (online), 18 December 2013 .
732 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
information should be transparent and sufficiently targeted. Governments should
not 'undertake' or require 'bulk data collection of internet communications'. 1
Recognising the potential for significant harms to US business interests, as
well as the broader harm of the potential 'balkani[sation]' of the internet,
President Obama released the Presidential Policy Directive on 17 January
2014.116 Section 1 confirms that '[p]rivacy and civil liberties shall be integral
considerations in the planning of U.S. signals intelligence activities.'" Signals
intelligence may not be collected for other purposes, such as suppressing speech,
nor to offer a competitive advantage to US businesses." The Directive is clear
on the point that collection of bulk data will continue. However, new limits are to
be imposed on the use of that data. Data may be used for the purposes of
detecting and countering: espionage and threats against the US from terrorism,
spying and other activities, weapons of mass destruction, cybersecurity; threats to
US and Allied armed forces and other personnel and transnational criminal
threats."' At the same time, President Obama announced a number of other
reforms, designed to increase accountability and transparency regarding the US
government's surveillance activities, including some declassification of orders of
the FISC, which provides review of the program targeting foreign individuals
outside of the US and the section 215 telephony metadata program discussed
above. 120 Further, the section 215 program will be replaced with a new procedure.
Noting the recommendations of the Review Group that a third party rather than
the government retains the bulk data, which may then be interrogated by the
government on an as needs basis, President Obama reflected on the complexities
generated by such an approach:
Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns. On the other hand, any third party maintaining a single, consolidated database would be carrying out what is essentially a government function but with more expense, more legal ambiguity, potentially less accountability -- all of which would have a doubtful impact on increasing public confidence that their privacy is being
protected. 121
These announcements were criticised as merely a publicity stunt in order to
direct attention away from the harm being inflicted on the US technology
115 AOL et al, The Principles (2014) Reform Government Surveillance . 116 Office of the Press Secretary, 'Signals Intelligence Activities' (Presidential Policy Directive, PPD-28, 17 January 2014). 117 Ibid 2. 118 Ibid. 119 Ibid 3. 120 Barack Obama, 'Remarks by the President on Review of Signals Intelligence' (Speech delivered at the Department of Justice, Washington, D C, 17 January 2014) . 121 Ibid.
2014 733 UNSW Law Journal
industry. 122 Indeed, little reform has been effected since January 2014. As noted
above, bulk collection of telephony metadata by the NSA has ceased (although
still conducted by third parties) but the USA Freedom Act, 123 intended to restrict
the surveillance powers of the NSA with respect to the internet, has fallen victim
to political maneuvering, despite significant lobbying from the US technology
industries. 124 The revised Act passed the House in May 2014 with none of the
safeguards against continued surveillance that had been anticipated. 125 Therefore
mass data capture remains legal in the US. 126
C US Judicial Responses
Of course, Snowden's revelations also demonstrated that the collection of
data described by the Supreme Court as speculative, was in fact actually
occurring, opening the door again for challenges to the constitutionality of such
practices. By December 2013, two conflicting District Court decisions had been
handed down on the question of standing to sue on the constitutionality of bulk
collection of telephony metadata: Klayman v Obama, 127 and decision reached a
different outcome. The plaintiffs in Klayman commenced two actions, one
related to the capture of telephone data from Verizon, brought against the NSA,
the Department of Justice, President Obama and several other executive officials,
as well as Verizon ('Klayman I'), and the second with respect to the monitoring
of internet services, brought against the same government defendants and
Facebook, Yahoo!, Google, Microsoft, YouTube, AOL, PalTalk, Skype, Sprint,
AT&T and Apple ('Klayman II'). Both claims alleged that the government
violated the plaintiffs' rights under the First, Fourth and Fifth Amendments and
the Administrative Procedure Act by exceeding its authority under FISA. 128 In
Klayman I the Court held that the plaintiffs had 'standing to challenge the
constitutionality of the Government's bulk collection and querying of phone
record metadata, that they have demonstrated a substantial likelihood of success
122 Glenn Greenwald, 'Obama's NSA "Reforms" Are Little More than a PR Attempt to Mollify the Public', The Guardian (online), 18 January 2014 . 123 HR 3361, 113th Congress (2013). 124 See, eg, Steve Wilson (ed), 'Mark Zuckerberg Tells Barack Obama He Is 'Frustrated' over US Government Surveillance', The Telegraph (online), 14 March 2014 . 125 Spencer Ackerman, 'Edward Snowden, a Year On: Reformers Frustrated as NSA Preserves Its Power', The Guardian (online), 5 June 2014 . 126 See ibid. However, the House of Representatives also recently voted to remove the power from the NSA to search 'warrantlessly through its troves of ostensibly foreign communications content for Americans' data, the so-called "backdoor search" provision': see Spencer Ackerman, 'House of Representatives Moves to Ban NSA's "Backdoor Search" Provision', The Guardian (online), 21 June 2014 . 127 957 F Supp 2d 1 (D Colo, 2013). 128 KlaymanvObama, 957F Supp2d 1, 11 (Leon J) (D Colo, 2013).
734 Volume 37(2) Thematic: Surveillance, Big Data and Democracy
on the merits of their Fourth Amendment claim, and that they will suffer
irreparable harm absent preliminary injunctive relief.' 29 However, given the
national security interests implicated in the case, the injunction would be stayed
pending appeal. 130
In American Civil Liberties Union v Clapper, 131 Pauley III DJ reached the
opposite conclusion, finding that the bulk telephony metadata program is lawful
and not susceptible to a constitutional challenge. Revisiting the claims that had
been made in the earlier Supreme Court case of Clapper v Amnesty International
USA, the American Civil Liberties Union ('ACLU') based its claim on three
sources of injury:
1. the 'collection of ... metadata related to the ACLU's phone calls';1 32
2. the search of the metadata related to the ACLU's phone calls when the
NSA checks the phone numbers three 'hops' away from the 'seed'
number (ie, the number which is the subject of the search); and
3. the chilling effect on all those who may hesitate to make contact with the
ACLU due to knowledge that the NSA will have a record that such a
telephone number was used to make that contact with the ACLU. 133
In this case, however, the ACLU was granted standing on the basis that it was
no longer in dispute that the government had collected the metadata relating to
the ACLU's phone calls. 134 With respect to the argument under the Fourth
Amendment, the ACLU argued that:
analysis of bulk telephony metadata allows the creation of a rich mosaic: it can 'reveal a person's religion, political associations, use of a telephone-sex hotline, contemplation of suicide, addiction to gambling or drugs, experience with rape, grappling with sexuality, or support for particular political causes. 135
The Court rejected this argument and noted that '[t]he collection of
breathtaking amounts of information unprotected by the Fourth Amendment does
not transform that sweep into a Fourth Amendment search.'36 Declaring that the
Court was still bound by the decision in Smith, the Court concluded that there
was no violation of the Fourth Amendment:
The right to be free from searches and seizures is fundamental, but not absolute ... Every day, people voluntarily surrender personal and seemingly-private information to transnational corporations, which exploit that data for profit. Few
129 Ibid 9 (Leon J). 130 Ibid 10. A notice of appeal was filed on 3 January 2014 and the case is continuing. 131 959 F Supp 2d 724 (SD NY, 2013) ('ACLUv Clapper'). 132 Ibid 735 (Pauley III J). 133 Ibid 736 (Pauley III J). 134 Ibid 38 [4] (Pauley III J). 135 Ibid 750 [33] (Pauley III I), citing Edward W Felten, 'Supplementary Declaration of Professor Edward W Felten', Submission in American Civil Liberties Union v Office ofthe Director ofNational Intelligence, 13-cv-03994 (WHP), 26 August 2013. 136 ACLUv Clapper, 959 F Supp 2d 724, 752 [33] (Pauley III J) (SD NY, 2013).
2014 735 UNSW Law Journal
think twice about it even though it is far more intrusive than bulk telephony metadata collection.'
The section 215 and PRISM scenarios generate fundamental questions
regarding the nature of privacy in the US. Does privacy exist solely in the context
of the Fourth Amendment and, given the limitations in the Fourth Amendment
flagged above, do these concerns need more specific protection in the digital
age? This would need to take account of consumer practices and internet business
models, such as the extent of personal information collected by service providers
like Pandora. This would most likely require specific and targeted legislation.138
D UK Responses to Surveillance
UK privacy law has been complicated by the impact of the European
Convention on Human Rights ('ECHR'). 139 Common law evolution of privacy
law under tortious and equitable principles has had to adapt to address
requirements under the ECHR, through the Human Rights Act 1998 (UK) c 42. 140
Privacy concepts have been dealt with under breach of confidence (equity) and
the nascent doctrine of misuse of private information (tort). In addition, the UK
has enacted the Data Protection Act 1998 (UK) c 29 which implements the
European Union ('EU') Data Protection Directive. 141
The UK has been directly caught up in the outcomes of the Snowden
revelations, with the UK being one of the 'Five Eyes' partners with the US, as
well as revelations regarding the UK's own mass data surveillance program
through the Government Communications Head Quarters. 142 However, no law
reform has been proposed in the wake of the revelations, but rather a review of
internet surveillance practices and their control and oversight in the UK has been
137 Ibid 756-7. 138 It is beyond the scope of this article to specify the shape and nature of such legislation, but for a UK based example, see Wacks, above n 87, 263-70. 139 Convention for the Protection ofHuman Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 221 (entered into force 3 September 1953), as amended by Protocol No 14 to the Convention for the Protection ofHuman Rights and Fundamental Freedoms, Amending the Control System ofthe Convention, opened for signature 13 May 2004, CETS No 194 (entered into force 1 June 2010). 140 For a discussion of these developments, see also Helen Fenwick and Gavin Phillipson, Media Freedom Under the Human Rights Act (Oxford University Press, 2006); Gavin Phillipson, 'Transforming Breach of Confidence? Towards a Common Law Right of Privacy under the Human Rights Act' (2003) 66 Modern Law Review 726. 141 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection ofIndividuals with Regard to the Processing ofPersonal Data and on the Free Movement ofSuch Data [1995] OJ L 281/31. For further information on proposed reforms to EU Data Protection law, see David Lindsay, 'The "Right to be Forgotten" in European Data Protection Law' in Normann Witzleb et al (eds), Emerging Challenges in Privacy Law: Comparative Perspectives (Cambridge University Press, 2014) 290. 142 Greenwald, above n 59, 161-8.
736 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
commissioned, to be conducted by the independent think tank, Royal United
Services Institute ('RUSI'). 43
A recent UK High Court decision in which Tugendhat J confirmed the
existence in the UK of a tort of misuse of private information provides some
useful guidance regarding how anonymous and collated data may be viewed in a
privacy context in the UK: Vidal-Hall v Google Inc. 144 In this case three UK-
based users of Google alleged that Google had misused their private information
and acted in breach of confidence and their statutory duties under section 4(4) of
the Data Protection Act 1998 c 29 by tracking and collating information relating
to their internet usage using the Safari browser in 2011 and 2012, such as which
websites they visited, how frequently they visited the sites, how long they spent
on the site and in what order sites were visited. The essence of their claim is that
Google collected information from their computers, and other internet enabled
devices, regarding their browsing habits. Each claimant specified in a
confidential schedule their 'individual personal characteristics, interests, wishes
and ambitions,' which they used as the basis of the claim that:
they suffered distress, when they learnt that such matters were forming the basis for advertisements targeted at them, or when they learnt that, as a result of such targeted advertisements, such matters had in fact, or might well have, come to the knowledge of third parties who they had permitted to use their devices, or to view their screens. 145
The claimants' damage is based upon the harm caused to them by the fact
that their apparent interests (deduced from their browsing habits) were used to
target advertising to them which disclosed certain information about them based
on those interests as evidenced in their online habits. Those advertisements, and
the personal information that they disclosed, may have or had been viewed by
third parties viewing the claimants' devices. 146 Justice Tugendhat noted that,
whilst targeted advertisements which merely reveal the employment of the user
may not cause any damage:
if the targeted advertisements apparently reveal other information about the users, whether about their personalities, or their immediate plans or ambitions, then if these matters are sensitive, or related to protected characteristics (e.g., beliefs), or to secret wishes or ambitions, then the fear that others who see the screen may find out those matters, and act upon what they have seen, may well be worrying and distressing. 147
143 RUSI to Convene Independent Review on the Use ofInternetDatafor Surveillance Purposes (4 March 2014) RUSI . 144 [2014] EMLR 14 (Tugendhat J). 145 Ibid 349 [22] (Tugendhat J). 146 Ibid 350 [23] (Tugendhat J). 147 Ibid 350 [24].
2014 737 UNSW Law Journal
Whilst all of the claimants claimed acute distress and anxiety, none of them
claimed to have suffered any discrimination or other direct harm.148
Justice Tugendhat had to decide the preliminary matter of whether the
claimants could serve their claim out of jurisdiction. Therefore the Court's
decisions on more specific matters relating to the misuse of private information
claim were of a preliminary nature only. Google was resisting the application for
service outside of jurisdiction. In order to satisfy the requirements of the service
out rules, the claimants framed their argument on a number of grounds including
tort. With respect to this claim, Google argued that the cause of action based on
misuse of private information or breach of confidence was not a tort; that no
significant physical or economic harm was suffered by the claimants and the act
complained of was not committed in the jurisdiction.
Whilst Tugendhat J asserted that it was clear that 'a claim for breach of
confidence is not a claim in tort,' 49 the position may be different with respect to
misuse of private information. 50
Justice Tugendhat then quoted directly from Lord Nicholls in Campbell v
MGN Ltd [2004] 2 AC 457:
This cause of action has now firmly shaken off the limiting constraint of the need for an initial confidential relationship. In doing so it has changed its nature. In this country this development was recognised clearly in the judgment of Lord Goff of Chieveley in Attorney-General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109, 281. Now the law imposes a 'duty of confidence' whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential. Even this formulation is awkward. The continuing use of the phrase 'duty of confidence' and the description of the information as 'confidential' is not altogether comfortable. Information about an individual's private life would not, in ordinary usage, be called 'confidential'. The more natural description today is that such information is private. The essence of the tort is better encapsulated now as misuse ofprivate information. 151
Justice Tugendhat then highlighted Lord Nicholls' observation that the
privacy tort and the equitable action of breach of confidence, although related,
148 Ibid 350 [25] (Tugendhat J). It should be noted that the conduct engaged in by Google during the relevant time had since been discontinued, due to regulatory sanctions brought by the United States Federal Trade Commission, which were settled in August 2012, and the outcomes of US state-based consumer actions brought by US State Attorney-Generals on behalf of 37 US states and the District of Columbia: ibid 355- 6 [44]-[45] (Tugendhat J). 149 Ibid 357 [52], citing KitetechnologyBVv Unicor GmbHPlastmaschinen [1995] FSR 765, 777-8 (Evans LJ) ('Kitetechnology'). 150 Vidal-Hallv Google Inc [2014] EMLR 14, 357 [53] (Tugendhat J). Justice Tugendhat quotes Vestergaard FrandsenA/Sv Bestnet Europe Ltd [2010] FSR 2, 41-2 [19] where Arnold J stated that whilst breach of confidence is not a tort (citing Kitetechnology), '[m]isuse of private information may stand in a different position': Campbell vMGN Ltd [2004] 2 AC 457, 465 [14] (Lord Nicholls), in support of this suggestion: Vidal-Hallv Google Inc [2014] EMLR 14, 358-9 [58]-[59] (Tugendhat J). 151 Vidal-Hallv Google Inc [2014] EMLR 14, 358-9 [59], quoting Campbell vMGN Ltd [2004] 2 AC 457, 465 [14] (Lord Nicholls) (emphasis added).
738 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
should be treated separately. 152 Noting that 'there have since been a number of
cases in which misuse of private information has been referred to as a tort
consistently with OBG and these cannot be dismissed as all errors in the use of
the words "tort"'. 153 Justice Tugendhat concluded 'that the tort of misuse of
private information is a tort' within the meaning of the relevant rules.' 154
Therefore the claimants' claim for damages fell within the requirements of the
rules relating to service out. 155
On the question of whether the information was private, it was submitted on
behalf of Google that the information collected about the claimants browsing
habits was anonymous and not private:
The aggregation of such information sent to separate websites and advertising services cannot make it private information. One hundred times zero is zero, so one hundred pieces of non-private information cannot become private information when collected together. 156
Justice Tugendhat rejected this approach, noting that Google would not have
gone to the effort to collect and collate this information unless it resulted in
'something of value'. 15' Further, he concluded the fact that individual Google
employees do not identify or recognise the identity of people from whom the data
is collected is 'irrelevant'. 158 At some point the claimant becomes identifiable as a
152 Ibid 361 [67]. Justice Tugendhat refers to OBG Ltd vAllan [2008] 1 AC 1, where Lord Nicholls said at 72 [255]:
As the law has developed breach of confidence, or misuse of confidential information, now covers two distinct causes of action, protecting two different interests: privacy, and secret ('confidential' information. It is important to keep these two distinct. In some instances information may qualify for protection both on grounds of privacy and confidentiality. In other instances information may be in the public domain, and not qualify for protection as confidential, and yet qualify for protection on the grounds of privacy. Privacy can be invaded by further publication of information or photographs already disclosed to the public. Conversely, and obviously, a trade secret may be protected as confidential information even though no question of personal privacy is involved.
153 Vidal-Hallv Google Inc [2014] EMLR 14, 361 [68] (Tugendhat J). 154 Ibid 361 [70]. Further consideration was then given to the question as to whether the claimants had suffered any recognisable and relevant damage. Justice Tugendhat concluded that '[d]amages for distress are recoverable in a claim for misuse of private information, e.g. Mosley v News Group Newspapers Ltd [2008] EMLR 20': at 362 [74] (Tugendhat J). 155 Ibid 374-5 [143] (Tugendhat J). It is noted that the claimants also included a claim based upon a breach of statutory duties under the Data Protection Act 1998, on the basis that Google (as a 'data controller') processed their 'personal data' in breach of obligations under the data protection principles set out in the Data Protection Act. In particular they claimed Google had obtained 'private information' of the claimants without their knowledge or consent: Vidal-Hall v Google Inc [2014] EMLR 14, 353-4 [37] (Tugendhat J). The issue for the Court in this preliminary hearing was to determine if Google had in fact processed the personal data of the claimants and the judge was prepared to conclude that the matter was sufficiently arguable: As the case was concerned with the issue of service out, the data protection claim was not considered in detail. 156 Ibid 370 [115] (Tugendhat J). 157 'It would not collect and collate the information unless doing so enabled it to produce something of value. The value it produces is the facility for targeted advertising of which the Claimants complain, and which yields the spectacular revenues for which Google Inc is famous': ibid 370 [116] (Tugendhat J). 158 Ibid 117.
2014 739 UNSW Law Journal
result of the collation and use of the information, in this case, at the point where
the targeted advertisements become visible on their screen by a third party. 5
Justice Tugendhat conceded that not all of the generated information would give
rise to claims of privacy. However, in the individual cases the particular types of
information identified by the claimants was private information.160
This case illustrates the complex relationship between the concerns of
privacy law and protection of private information. As is noted by the Court the
argument made by Google that generic, harvested information, which can be
used to generate highly detailed predictive profiles of an individual and then used
to direct personally targeted information back to them, is not 'private' seems
disingenuous in the specific context. Yet it is just these practices which are being
used by online service providers to generate and sell targeted advertising profiles.
They are based on voluntarily disclosed data, creating a contractual, but little
understood, relationship with a user. As this case illustrates, further exploration
of the relationships between consent, disclosure and collection and use of
information is required. Further, as the law currently stands, the algorithmic
intervention in such data may create a sufficient disconnect with the user to avoid
any liability under privacy law. Thus law reform is needed to address these
issues.
Notably, there seems to be movement in the EU on the attitudes towards
mass data collection. In April 2014, the Court of Justice of the European Union
held, in the joined cases C-293/12 and C-594/12, 161 that the EU Data Retention
Directive 62 iS invalid, on the basis that in casting the terms of the Directive, the
EU legislature had exceeded the limits of the principle of proportionality in
relation to Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the
European Union. 163 The Data Retention Directive was intended to harmonise the
laws of Member States with respect to the collection and retention of data
generated or processed in the course of the supply of communications services,
by providers of publicly available electronic communications services or of a
public communications network, ie, internet and telephone records. 164 Data
gathering on this scale was justified as essential for the purposes of national
security, anti-terrorism and for the prevention of crime. 165 As with the US system
159 Ibid 371 [117] (Tugendhat J). 160 Ibid 371 [118] (Tugendhat J). He further noted: '[t]hese are not generic complaints. They are complaints about particular information about particular individuals, displayed on particular occasions (even though the precise dates and times of the occasions are not identified)': ibid 371 [119] (Tugendhat J). 161 DigitalRights Ireland Ltd v Ministerfor Communications, Marine and Natural Resources; Karntner Landesregierung v Seitlinger (European Court of Justice, C-293/12; C-59/14, 8 April 2014) [69]-[73]. 162 Directive 2006/24/EC ofthe European Parliament and ofthe Council of15 March 2006 on the Retention ofData Generated or Processed in Connection with the Provision ofPubliclyAvailable Electronic Communications Services or ofPublic Communications Networks and Amending Directive 2002/58/EC [2006] OJ L 105/54 ('EU Data Retention Directive') 163 [2009] 0J C 326/391. 164 EUData Retention Directive [2006] OJ L 105/54 art 1. 165 Ibid Preamble; art 1.
740 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
of data retention, the Directive authorised the collection of data related to
location, time, duration of call but not content of the message or
communication.166 However, again, as has already been observed with respect to
the metadata collection in the US, the European Court of Justice observed that
the nature of the data collected could generate a very detailed record relating to
the individuals concerned, such as their location, who they are communicating
with, how and for how long and how frequently they are communicating, and the
time and place of the communication. 167 Whilst the collection of such data may
be justified on the basis of the general interest in the prevention of crime and
national security, the Directive infringed too far upon fundamental rights to
respect for private life and to the protection of personal data. The retention and
use of such data would subject people to the feeling that they were under constant
surveillance. 168 The effect of this decision will be to require amendment of
national legislation, including that of the UK, to take account of this ruling.
Notably the decision encompasses both private life (privacy) and personal data
(data protection).
Shortly following this decision, the EU Data Protection Working Party
adopted Opinion 04/2014 on Surveillance of Electronic Communications for
Intelligence and National Security Purposes. 169 Concluding that 'secret, massive
and indiscriminate surveillance programs are incompatible with our fundamental
laws and cannot be justified by the fight against terrorism or other important
threats to national security', 170 the Opinion makes a number of recommendations.
These included greater transparency on how data is collected and used, clearer
laws surrounding data sharing, effective oversight of intelligence services and
enforcing compliance with protections and freedoms under the ECHR."' It is
therefore likely that UK laws will be strengthened to reflect greater control over
the use of data generated as a consequence of personal communications and
transactions. Again, privacy seems a woefully inadequate tool to regulate the use
of big data.
166 Ibid art 5. 167 DigitalRights Ireland Ltd v Ministerfor Communications, Marine and Natural Resources; Karntner Landesregierung v Seitlinger (European Court of Justice, C-293/12; C-59/14, 8 April 2014) [27]:
Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.
168 Ibid. 169 'Opinion 04/2014 on Surveillance of Electronic Communications for Intelligence and National Security Purposes' (Working Party Document No 215, Article 29 Data Protection Working Party, 10 April 2014). The Working Party was established under Article 29 of Directive 95/46/EC as an independent European advisory body on data protection and privacy. 170 Ibid 2. 171 Ibid.
2014 741 UNSW Law Journal
IV THE AUSTRALIAN CONTEXT
Like the UK, Australian law adopts a piecemeal approach to protection of
various privacy interests. 172 The Privacy Act 1988 (Cth) is primarily concerned
with data protection,3 17 and imposes obligations on 'APP entities' 17 -particularly
Australian government agencies, private organisations with a turnover of more
than $3 million and certain small businesses 17 - regarding the collection,
handling and use of 'personal information'. 'Personal information' is defined in
section 6(1) of the Act as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
This limitation to an identified or reasonably identifiable individual
immediately restricts its relevance in the seemingly anonymised big data context.
Australian government agencies, when collecting or managing citizens' data, are
also subject to a range of legislative controls, and must comply with the a number
of Acts and regulations. 176 There are also many forms of overlapping and
sometimes inconsistent anti-surveillance laws. 177 Protection of privacy interests
may also arise in the context of the breach of confidence action, far more limited
in the Australian context by the requirement of a pre-existing relationship or
understanding, than in the evolving UK doctrine. 17' Additionally, there is nascent
recognition of a common law tort of privacy in Australian common law. 171
172 For a detailed overview of the current Australian privacy law, see Australian Law Reform Commission, Serious Invasions ofPrivacy in the Digital Era, Discussion Paper No 80 (2014) 37-50 ('ALRC Discussion Paper'). See also Megan Richardson and Andrew Kenyon, 'Privacy Online: Reform Beyond Law Reform' in Normann Witzleb et al (eds), Emerging Challenges in Privacy Law: Comparative Perspectives (Cambridge University Press, 2014) 338, 340, 344-51. 173 ALRCDiscussion Paper, above n 172, 38, para 3.3. 174 Privacy Act 1988 (Cth) s 6(1) (definition of 'APP entity'). 175 ALRCDiscussion Paper, above n 172, 38; PrivacyAct 1988 (Cth), s 6(1) (definitions of 'agency' and 'organisation'). See also State and Territory equivalents: Privacy andPersonal Information Protection Act 1998 (NSW); Information Privacy Act 2009 (Qld); Department of the Premier and Cabinet (SA), Information Privacy Principles (IPPS) Instruction (2013); Personal Information Protection Act 2004 (Tas); Information Privacy Act 2000 (Vic). 176 See, eg, Freedom ofInformation Act 1982 (Cth); Archives Act 1983 (Cth); Telecommunications Act 1997 (Cth); Electronic Transactions Act 1999 (Cth); Intelligence Services Act 2001 (Cth). 177 See ALRC Discussion Paper, above n 172, 41-2 [3.20]-[3.23]. See, eg, Listening Devices Act 1992 (ACT); Surveillance Devices Act 2007 (NSW); Surveillance Devices Act (NT); Invasion ofPrivacy Act 1971 (Qld); Listening and Surveillance Devices Act 1972 (SA); Listening Devices Act 1991 (Tas); Surveillance Devices Act 1999 (Vic); Surveillance Devices Act 1998 (WA). 178 Megan Richardson, 'Towards Legal Pragmatism: Breach of Confidence and the Right to Privacy' in Elise Bant and Matthew Harding (eds), Exploring Private Law (Cambridge University Press, 2010) 109, 111- 15, 119-23. See also ALRC Discussion Paper, above n 172, 68-9. 179 See Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, 258 [132] (Gummow and Hayne JJ).
742 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
Recently, the Australian government has strengthened the Privacy Act
(through the passing of the Privacy Amendment (Enhancing Privacy Protection)
Bill 2012 (Cth) to enhance the protection of and set clearer boundaries for usage
of personal information. 8o The Australian Law Reform Commission ('ALRC')
has also recommended the introduction of a statutory cause of action for a
'serious invasion of privacy'."' The suggested introduction of a stand-alone tort
is intended to address a range of privacy intrusions, including physical invasions
of privacy and online abuses, but is not specifically directed at data privacy. 182
The elements of the suggested tort are an 'intentional or reckless invasion of
privacy' by:
(a) intrusion into the plaintiffs seclusion or private affairs (including by unlawful surveillance); or
(b) misuse or disclosure of private information about the plaintiff. 183
The proposed action is also subject to the conditions that:
A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances ... The court must consider that the invasion of privacy was 'serious', in all the circumstances, having regard to, among other things, whether the invasion was likely to be highly offensive, distressing or harmful to a person of ordinary sensibilities in the position of the plaintiff ... The court must be satisfied that the plaintiff's interest in privacy outweighs the defendant's interest in freedom of expression and any broader public interest in the defendant's conduct. 184
A particular issue will be the role of consent as a defence to any breach of
privacy under the proposed statutory cause of action. As the ALRC Discussion
Paper notes there are many degrees to consent. In particular: 'some have
questioned whether clicking "I agree" to a 40 000-word term of a contract is, in
fact, consent and there are calls for the whole issue of consent in the context of
online services to be reviewed.""' The Discussion Paper suggests that this debate
should occur 'in ... the context of consumer protection. '186
180 Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1. See, eg, Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 pt 1.1 (Australian Privacy Principle 1 -open and transparent management of personal information); Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 pt 2.3 (Australian Privacy Principle 3 -collection of solicited personal information); Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 pt 2.5 (Australian Privacy Principle 5 -notification of the collection of personal information); Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 pt 4.11 (Australian Privacy Principle II -security of personal information). 181 ALRCDiscussion Paper, above n 172, 53. 182 Ibid 54 [4.8], 76. 183 Ibid 62. 184 Ibid 62-3. 185 Ibid 97 [6.52], citing Solove, above n 11. 186 ALRCDiscussion Paper, above n 172, 97 [6.52]. See also Richardson and Kenyon, above n 172, 349.
2014 743 UNSW Law Journal
The proposed protection of privacy as a tort is consistent with the UK
approach outlined above."' In addition, the ALRC contemplates that actions for
breach of confidence would still continue to evolve.' Therefore the scope of
rights against invasions of personal privacy would appear to be expanded by the
ALRC proposals. However, notably, the proposed statutory right of action
applies only to unlawful surveillance."' As Australia has no bill of rights or any
constitutional protections akin to those outlined above with respect to the US,
UK or EU it is unlikely that these changes will go any way to addressing the
concerns regarding either government surveillance or the seemingly consensual
collection of data about our online movements by platform providers with whom
we 'consent' to exchange information in order to make use of their platform.
Australia is one of the Five Eyes partners with the US (along with
Canada, New Zealand, and the UK) and as such is involved in the collection
and sharing of intelligence information about its own citizens and those
of the other Five Eyes partners. Indeed in 2011, Australia, through the
Defence Signals Directorate, sought enhanced surveillance of Australian
citizens due to the 'increasing number of Australians involved in
international extremist activities'. 9o Commonwealth 'enforcement agencies' can
request historical communications data from service providers without a warrant
under the Telecommunications (Interception and Access) Act 1979 (Cth), where
the information is considered reasonably necessary for certain specified purposes
including enforcement of the criminal law."' The total number of requests must
be reported annually. For example, in 2011-12, Australian law enforcement
agencies, other than the Australian Security Intelligence Organisation ('ASIO'),
made 293 501 requests for telecommunications data without a warrant or any
judicial oversight. 192 Unlike the CIA and the British intelligence agencies, ASIO
has blanket immunity from freedom of information legislation.193
In 2012, following a review of national security legislation, the then Labor
Australian Government announced the proposed introduction of a requirement
that carriage service providers retain data regarding use of internet and phone
services for up to two years. 194 In June 2013, the Parliamentary Joint Committee
187 Vidal-Hallv Google Inc [2014] EMLR 14, 356-63 [50]-[75] (TugendhatJ). Although the development of the tort of privacy in the UK is found in common law, the development occurred within the context of legislative change required by the Human Rights Act 1998 (UK) c 42. In Australia specific legislative intervention would be required. 188 ALRCDiscussion Paper, above n 172, 60 [4.33]. 189 Ibid 97 [6.52], citing Solove, above n 11. 190 Greenwald, above n 59, 122. The Australian Signals Directorate (formerly the Defence Signals Directorate) is an Australian Government intelligence agency within the Department of Defence. 191 See, eg, Telecommunications (Interception and Access) Act 1979 (Cth) ss 178, 178A, 179. 192 Attorney-General's Department, Telecommunications (Interception andAccess) Act Report for the Year Ending 30 June 2012 (2011-12) 66. 193 Freedom ofInformation Act 1982 (Cth) sch 2 pt 1 div 1. 194 See also Bruce Baer Arnold, 'If Nicola Roxon Doesn't Believe in Her Own Policy, Why Should We?' The Conversation (online), 25 July 2012 .
744 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
on Intelligence and Security tabled its Report of the Inquiry into Potential
Reforms of Australia's National Security Legislation. "' The data retention
proposals were shelved pending the federal election. In December 2013 the
Senate referred a comprehensive revision of the Telecommunications
(Interception and Access) Act 1979 (Cth) to the Senate Legal and Constitutional
Affairs References Committee.196 However, the current Australian Attorney-
General announced in early August 2014 that internet service providers and
telecommunications providers will be required to keep user metadata for two
years in order to provide access to such data by law enforcement agencies. 17 No
formal procedures have yet been announced, with the proposal having only been
flagged in press conferences. Some significant gaps have already been
highlighted in the government's overall understanding of how such a program
may work but the details remain to be worked out."' These proposals have
attracted significant attention in light of the Snowden revelations. Again, it
should be noted that as such collection involves metadata rather than the content
of communications it will fall outside the scope of existing Australian privacy
regimes. However, as the above analysis reveals the predictive value of such data
cannot be overstated.
Recent Australian cases highlight the vulnerability of personal data
collection being posted online,"' how easily metadata can be obtained by outside
195 Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Report ofthe Inquiry into Potential Reforms ofAustralia's National Security Legislation (2013). 196 Senate Legal and Constitutional Affairs Committee, Parliament of Australia, Comprehensive Revision of Telecommunications (Interception andAccess) Act 1979 (2013):
On 12 December, the Senate referred the following matter to the Legal and Constitutional Affairs References Committee for inquiry and report: Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 (the Act), with regard to:
* the recommendations of the Australian Law Reform Commission For Your Information: Australian Privacy Law and Practice report, dated May 2008, particularly recommendation 71.2; and
* recommendations relating to the Act from the Parliamentary Joint Committee on Intelligence and Security Inquiry into the potential reforms ofAustralia's National Security Legislation report, dated May 2013.
197 Emma Griffiths, 'Govermment Backtracks on Racial Discrimination Act 18C Changes; Pushes ahead with Tough Security Laws', ABC News (online), 5 August 2014 ; Emma Griffiths, 'Data Retention Laws: Tony Abbott Says Government "Seeking Metadata", Not Targeting People's Browsing History', ABC News (online), 6 August 2014 . 198 Ben Grubb and James Massola 'What is "Metadata" and Should You Worry if Yours Is Stored by Law?' The Sydney Morning Herald (online), 6 August 2014 . 199 See, eg, Mastrangioli v Chisholm Institute of Technical and Further Education [2014] FCA66. All of the witnesses gave evidence of not having known that Ms Mastrangioli had been a patient at Casey and that they did not know of, and had not seen, her medical records which had been put on the intemet: at [2] (Pagone J).
2014 745 UNSW Law Journal
organisations and countries, and the lack of protection for individuals when their
data collection is corrupted. 00
Australian privacy law therefore remains, like the US and UK law, woefully
underdeveloped when it comes to protection of individuals' metadata or
'voluntarily' disclosed data. Many ubiquitous, day to day disclosures of data,
such as postings on Facebook, use of search terms or hash tags, likes, retweets
and public polls would be regarded as public rather than private disclosures.
These disclosures are then used to develop detailed algorithmic profiles, to which
no privacy regulation would apply, despite potential enduring and significant
impacts of that profile.
V CONCLUSIONS
Current technologies make surveillance and data capture a convenient by-
product of ordinary daily transactions and interactions. Data capture is so
ubiquitous that it is easier to capture it all and interrogate it later. Little regard has
been had to the individual privacy interests of citizens within this context and
current privacy paradigms are ill-equipped to address algorithmic and predictive
uses of big data.
It must be recognised that threats to privacy can come equally from
government and the private sector. The proposed US solution of ending bulk data
storage by the government and transferring the responsibility to private providers
carries with it the potential for continued exploitation. As demonstrated by
Vidall-Hall v Google Inc, data mining can enable corporations to single out
customers who are statistically profitable and calculate the exact minimum level
to make customers loyal, therefore reinforcing the contractual power imbalances
between consumers and producers.201
Surveillance should require 'legal process and the involvement of the
judiciary to ensure that surveillance is targeted, justified, and no more extensive
than is necessary'.20 Richards asserts that
while covert domestic surveillance can be justified in discrete (and temporary) instances when there is rigorous judicial process, blanket surveillance of all internet activity menaces our intellectual privacy and gives the government too much power to blackmail or discriminate against the subjects of surveillance. 203
Further, the belief in the existence of constant monitoring operates as a
chilling effect upon freedom of communication, deterring participation in the
200 See, eg, Denlay v Federal Commissioner ofTaxation (2010) 81 ATR 644; Denlay v Federal Commissioner ofTaxation [No 2] (2011) 83 ATR 872 (dealing with illegally obtained information affecting a tax assessment). 201 See, Palmas, above n 3, 349. 202 Richards, above n 1, 1961. 203 Ibid.
746 Volurne 37(2) Thematic: Surveillance, Big Data and Democracy
democratic process. 04 In a free society, all forms of surveillance must be
ultimately accountable to a self-governing public. Statutory law is easily
adaptable and can be applied to bind both government and non-government
actors. Accordingly, a meaningful legal process of issuing a warrant supported by
probable cause needs to be followed before the government can perform the
digital equivalent of reading our diaries or worse, making a decision on the basis
of casting our horoscopes.
It is important to follow the rule of law and have a member of the judiciary
provide independent oversight of the use of coercive or invasive powers of data
collection. Otherwise, the collection of big data is unhindered and unreviewable
which undermines democracy. In addition, a statutory right to prevent misuse of
information linked to or generated about a person from big data by both
government and business would go some way to protect individual privacy.
However, this would also necessitate significant changes to current internet-
based business models to prevent the bulk exploitation of our bulk data. Change
is needed now to address these issues, before the rampant algorithms make it
impossible to claw back what little privacy we retain in the online environment.
204 Ibid 1945.
2014 747
