|
|
Home
| Databases
| WorldLII
| Search
| Feedback
University of New South Wales Law Journal Student Series |
HOW ‘OPEN’ IS OPEN GOVERNMENT DATA? A COMPARATIVE ANALYSIS OF THE IMPACTS OF DATA PROTECTION LEGISLATION ON GOVERNMENT TRANSPARENCY
EMMA THOMPSON
I INTRODUCTION
Transparency of government action is one of the central tenets underpinning the notion of ‘good governance’.[1] One of the ways this can be achieved is through increasing the availability of information about government action to citizens without the burden of following formal application processes under freedom of information (FOI) laws. Technological developments over time have improved the way that people access information, as well as improving the breadth of information available through digital means.[2] Government departments globally have embraced this by establishing open data portals which can inform citizens on government performance, expenditure and service improvement opportunities.[3] Public sector data is a mechanism that encourages public scrutiny of public officials and administrators, promoting democracy and accountability through transparency and access to certain types of government information. Despite these benefits, the use of open government data raises important issues about security, trust and privacy in the collection, processing and release of personal information informing these datasets. Data protection laws have been enacted in Australia and the European Union (EU) responding to some of these issues, but there is limited academic commentary about the implications of the intersection between government transparency and personal privacy in this context.
This essay aims to identify the extent to which data protection laws in Australia and the EU limits the transparency function of government-run open data portals. To achieve this, it is first necessary to understand the history of open data and the justification for its use by government agencies as explored in Part II. Relevant data protection law and policies will be reviewed in Part III, forming the basis of comparison of approaches to the practical impacts of data protection laws on government objectives. The limitations of these laws can be broadly defined as a conflict between the protection of individuals’ and collective privacy through data protection laws and policies, and the role open data plays in enhancing government transparency,[4] explored from a theoretical perspective in Part IV. Finally, Part V evaluates some of the pertinent legal issues relating to the use of open government data and the adequacy of the laws described in Part III in the context of the theoretical concepts discussed in Part IV.
II OPEN GOVERNMENT DATA
Open data is defined as information that can be ‘freely used, modified and shared by anyone for any purpose’.[5] Most definitions of open data also specify that it must be easily and freely accessible by individuals in terms of costs, format and location.[6] Open government data is a sub-species of open data and data in a broader sense,[7] and refers to information collected, processed and published or shared by government agencies to the public at large.[8] The rationale behind the use of open government data is generally predicated on the principles in the academic literature and at law which identify the need for public data to be current, accessible and able to be reviewed.[9] By extension, it is expected that agencies should engage with its constituents to encourage the use of such datasets.[10] Its purpose may be likened to the disclosure of information under FOI laws in the sense that public access is granted to certain types of government information. However, a key difference between the two types of information is the readiness of its availability and the need for the interested person to formally request access to the information.
The data used is the core of any open data initiative of private or public sector origin.[11] Data can come from a range of sources (e.g. government data, user generated content and corporate data) and can be ‘mixed’ together for use within a range of business and community models.[12] In recent years, there has been increased interest in the use of open data by government bodies in areas such as citizen mobility (public transport patronage), security (crime statistics) and economic development (building approvals and business establishment).[13] This has resulted in the development of two key assumptions about the role of open data in the contemporary machinery of government. The first suggests that government agencies exhibit a readiness to welcome constructive and sometimes opposing feedback about their current and proposed actions.[14] The second proposes that there is a degree of a loss of control of governments when opening data, but it can be viewed as being potentially beneficial by enabling the public to be involved in data processing.[15] These two factors are intertwined and can be used to reasonably infer that this form of ‘informational self-determination’ is a precondition to achieving the ideals of a democratic society.[16]
Despite some of the advantages of utilising open government data described above and throughout this essay, there are some unintended consequences of its use which are yet to be adequately addressed through law reform or institutional change. Accessibility to data remains a prominent concern raised in academic discourse, with assumptions that the only users of open data are suitably trained and resourced to effectively use the data.[17] In addition, the practical effects of data governance are regularly discussed in the government information,[18] technology law,[19] and computing sectors.[20] A key theme emerging in this discourse is the value of open government data in assisting citizens to learn about how the environments they live, work and play in operate on a day-to-day basis. This raises important questions about whether the use and regulation of open data is actually beneficial to the public given the widely documented resentment towards growing surveillance of civilians and data processing, particularly when linked to the actions of government authorities.[21]
III LEGAL CONTEXT
This essay undertakes a comparative analysis of Australian and EU legislation and policy positions on data protection to inform the assessment of their impact on the transparency functions of government-run open data portals. The focus on Australian federal legislation and general regulation in the EU was intentionally selected to examine the effect of a holistic approach across a large jurisdiction rather than focusing on specific legislation governing smaller geographic areas. Analysis of these two jurisdiction also serves as an important point of comparison given the potential implications and application of the General Data Protection Regulation (‘GDPR’)[22] in different jurisdictions, including Australia.
A Australia
In Australia, there is no general legal right to privacy.[23] The current data protection framework in Australia is mostly contained within the Privacy Act 1988 (Cth),[24] which affords protections to individuals and groups by regulating the handling of personal information by federal agencies. In addition to the federal legislation, some states and territories have also enacted legislation applying to their individual jurisdictions.[25] Of particular relevance to this essay are Part III and Schedule 1 of the Privacy Act, which governs information privacy and sets out the Australian Privacy Principles (APPs) respectively.[26] These provisions have been designed to operate in a way that seeks to protect individuals from potential harms culminating from data breaches. Amendments to the Act were enacted in February 2018,[27] which relate mandatory notification requirements for data breaches. These will be considered in further detail in Part V.
The Office of the Australian Information Commissioner plays an integral role in administering the Privacy Act and ensuring that appropriate privacy protection measures are enforced against Commonwealth departments and agencies. This role was previously assumed by the Office of the Privacy Commissioner.[28] The Commissioner is given legislative authority to investigate and conciliate complaints relating to breaches of APPs and the Privacy Act more generally.
B European Union
In Europe, there is currently no harmonisation of data protection laws across the continent as each individual country has its own specific laws and regulations. Despite this incongruence at a broader continental level, the GDPR seeks to take a holistic approach to regulating data protection across the EU, pending adoption across all member states.[29] The GDPR replaces the Data Protection Directive (Directive 95/46/EC) and the ePrivacy Directive (Directive 2002/58),[30] which sought to govern the use and reuse of public sector data and strengthen Europe’s participation in global information markets. When compared to the Australian laws described above, the current European regulatory framework adopts a more rights-based approach, drawing on the provisions in the European Union Charter of Fundamental Rights relating to the protection of personal data rather than privacy in a general sense.[31]
As the territorial scope of the GDPR has the potential to apply globally, [32] it does not make sense to restrict the protection of EU citizens at a global level. Because of this reasoning, the potential extraterritorial application of the GDPR could have implications for data management companies based in the EU that may be engaged by government departments in other countries to collect, process or store data on their behalf. While not directly related to the area of inquiry explored in this paper, it is important to note when considering the practical realities of the development and distribution of open data in a broader sense.
IV THEORETICAL CONTEXT
To provide a theoretical foundation for this essay and inform the key areas of inquiry in the comparative analysis of Australian and EU laws, this section critically examines the concepts of privacy and government transparency in the context of government-run open data portals. These two concepts are bridged together to identify the inherent conflict between the right to privacy in a data protection context and the importance of government transparency. In doing so, it contextualises the increased proliferation of open government data in a global setting and establishing direction for analysis in the following sections.
A Data protection and privacy
The right to privacy broadly constitutes a series of protections on the way an individual conducts their daily life. It is enshrined within the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.[33] The right to privacy is an evocative concept in legal theory as it is typically framed as an independent legal right conventionally understood as protection against the unwanted intrusion upon a person’s private affairs,[34] and not ‘merely as a right protecting information control’.[35] As the world has become an increasingly digital environment, interpretations of ‘privacy’ and ‘data protection’ have begun to overlap.[36] This has resulted in an increased focus on the protection of individuals’ information that Richards did not agree with including in his initial characterisation on the right to privacy.[37] When considering the use and public distribution of large sets of data for a government purpose, it is important to find the ‘right balance between privacy risks and [big] data rewards’.[38] The growing interest in the right to privacy in this context also establishes the need to identify whose rights count and whether they should be identified en masse or remain attached to the individual.[39]
A key difficulty that theorists and lawyers in this field face is that the terms ‘privacy’ and ‘data protection’ are often used synonymously,[40] which calls for the disambiguation of the two concepts in order to establish how the aims of open government data may affected by data protection law. While their rationales are almost identical and are very closely linked, there are fundamental differences in the way they are considered practically and at law. An added layer of complexity in this debate at both a legal and theoretical level is the reliance on privacy principles to underpin the law,[41] which are generally not considered in a technology-specific manner.[42]
B Government transparency
One of the core values of a democratic society is the notion of government transparency, which essentially enables citizens to hold government administrators and politicians accountable for their actions or lack thereof.[43] This form of accountability can be framed in political, social and economic contexts and viewed as a way of building trust and improving citizen satisfaction with their elected representatives.[44] Based on this, there are two key considerations when observing the transparency function of open government data. The first relates to the need for citizens to know whether a government department is likely to hold their personal information and the purpose for which it will be used. The second considers any requirements for disclosure at the data handling or processing stage, which should be distinguished from any disclosure requirements at the data collection stage. Undertaking separate notification activities ensures that transparency is accounted for in all phases of opening data for the public, adopting the principles of transparency-by-design that is commended in technology and policy discourse.[45]
The use of open data in the public sector has been regarded by proponents as encouraging greater transparency and accountability, as well as ‘improv[ing] scientific research, foster[ing] innovation and stimulat[ing] economic growth’.[46] In this context, transparency refers to ease of access and use to government information, which can be viewed as a politically driven motivation to instil public confidence in a government.[47] This form of transparency can be categorised in two different ‘levels’ based on the clarity of information made available. ‘Opaque’ transparency refers to information that does not divulge in significant details about particular behavioural patterns, while ‘clear’ transparency reveals reliable information in more detail.[48] This analysis suggests that differing levels of transparency in the information made publicly available by government agencies will affect the extent to which it achieves its ‘transparency’ function in the pursuit of a more open form of government.
V EVALUATION
Building on the findings of the preceding sections, the remainder of this essay evaluates some of the emerging legal issues relating to open data in a governmental context across many jurisdictions. These risks and challenges are a product of the political commitments of governments in the pursuit of engaging in the process of ‘open government’, which is often confused with the motivations to use ‘open data’ in a broader sense.[49] This evaluation extrapolates findings from Parts II, III and IV, identifying relative strengths and weaknesses of the current legislative frameworks in Australia and the EU.
A Key terms and definitions
Understanding the material scope of a particular law is determined by the key terms which highlight what is specifically being regulated.[50] Comparing the terminology used in different jurisdictions and their interpretation will inform the evaluation of the extent to which data protection laws limit the transparency function of open government data. This section considers the notions of ‘processing’ and personal data’ under the GDPR and the analogous definitions of ‘handling’ and ‘personal information’ under the Privacy Act. Understanding the differences between the language used is also a product of understanding the contrasting regulatory designs adopted in each jurisdiction.
The two key terms of relevance under the Privacy Act relating to open data are ‘personal information’ and ‘handling’ as they relate to how raw data is manipulated to become the information made publicly available for citizens to access. The use of these terms have been criticised in recent years, particularly with respect to the ongoing uncertainty attached to changing nature of what is considered ‘personal’. The interpretation of ‘personal information’ was considered in Privacy Commissioner v Telstra Corporation Limited,[51] which raised issues about the interpretation of older terms in a modern context. The Privacy Commissioner held that if an individual’s identity could be reasonably ascertained from information (in this case, the metadata from the mobile network), it should be retained as ‘personal information’, but the court disagreed with this position.[52] This case resulted in the narrowing of the scope of the ‘personal information’ definition and thereby limiting the regulatory burden on APP entities to report a data breach. By doing this, the transparency function of open government data may be undermined by limiting the opportunities for individuals to bring an action against a government entity.
The data protection regulations under the GDPR adopt the terms ‘personal data’ and ‘processing’ with reference to the concepts described above in an Australian context. An analysis of the GDPR’s definitions can be equated to analysis of the terms within the former Data Protection Directive,[53] as well as the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.[54] Adopting this method of analysis suggests that the ‘personal’ nature of data could broadly include information that is both objective and subjective in manner with reference to an individual’s identity, characteristics or behaviour.[55] The changing nature of what can be considered ‘personal’ is also a key consideration when considering potential breaches of data protection laws, as data that might not be considered ‘personal’ at present may be at a later point in time.[56] Problems may also arise with the use of the term ‘processing’, which could be narrowly constructed to only refer to the specific processes attached to the conversion of raw data to publicly available data, rather than any incidental processes attached to the development and distribution of open government data.
A comparison of the terminology used in data protection laws compared in these jurisdictions reveals that there is a common intent to protect individuals against data breaches. A common feature of both regulatory approaches is the absence of a clear definition about what constitutes ‘harm’ to assist in the assessment of what constitutes a breach (see subsection D of this Part). One of the key differences between the Australian and European approaches are the interpretations of the respective terms relating to personal information/data and handling/processing. A broader approach adopted in the EU lends itself to it being more flexibly applied across as range of cases because of its ‘one size fits all’ approach across the European continent and beyond. In contrast, a narrower construction in Australia is a product of the specific nature of amendments to legislation that is over 20 years old being retrofitted to respond to contemporary legal issues. While the two key terms discussed above could potentially be applied interchangeably across jurisdictions, the use of the word ‘handling’ in Australia is favoured as it provides greater scope to encompass incidental processes associated with the use of open data by governments. At face value, the use of this terminology negligibly affects the transparency function of open government data because it relevantly sets parameters around the acceptable use of data in an open format. However, when applied on a case-by-case basis, there is a risk that the ambiguity attached to the term ‘personal’ is more likely to affect how the law is interpreted and applied.[57]
B Anonymisation and de-identification of data
The most common method used to protect data privacy is through the removal of personal information, which aims to eliminate the risk of disclosing private data during processing or transferring methods.[58] When data is being ‘treated’ before publication in an open source format, it is often done by other sometimes non-government parties to ensure it is easy to access and understand.[59] One of the main arguments propounded by academics and professionals in the data security sector is the concern that publicly available anonymised data could potentially be deanonymised by people with open access. This point of contention is founded on the probable threat of re-identification and linkability to certain individuals, which could potentially be problematic when dealing with personal information obtained, especially in sensitive sectors such as health and education.[60] However, it should be noted that not all forms of open government data, such as train times and the location of public toilets, are not ‘personal’ in nature and that caution must be exercised when engaging in this discourse.[61] Another factor compounding this issue is the intent behind data deanonymisation, which could potentially be malicious in character and either passive or active in nature.[62] The intent behind potential offences affects the way that breaches will be treated at law.
The deidentification of data is principally done to protect the identities of whom the information is extracted from to inform publicly available datasets.[63] Once aggregated, the information is no longer considered ‘personal’ in the sense alluded to in the preceding subsection.[64] One may also argue that the more manipulated a dataset is, the less valuable it is in terms of providing adequate information to achieve the transparency function of open data. However, what the practical application of the law in Australia and Europe fails to consider is that aggregated and treated data may be personal, depending on the context in which it is viewed. The main failure with laws in their current state is that they are narrowly constructed as a control over personal data and fail to wholly capture potential issues that may arise in the process of ‘knowledge discovery in databases’.[65]
As one of the prominent concerns with opening data relates to the protection of individual privacy as discussed throughout this paper, legislative provisions prohibiting the reidentification of data can act as a safeguard against unwanted tracing of public information to individuals. The risk of re-identification of personal information should be considered throughout the open data process, especially when considering the transparency function of government bodies. In Australia, the Privacy Amendment (Re-identification Offence) Bill sought to introduce specific criminal offences and civil penalty provisions under the Privacy Act.[66] This proposal, while not formally passed by the Commonwealth Parliament, demonstrated an intent to enhance the transparency function of open government data by ensuring that government departments are held accountable for any re-identification of personal information, irrespective of intent. While the Bill sought to strengthen individuals’ privacy by creating a general deterrent for wrongful reidentification, the creation of retroactive criminal offences raises concerns about whether the proposed law is proportional to the risk of reidentification. Further, the reverse burden on defendants to prove the application of exceptions infringes on the presumption of innocence, a fundamental feature of criminal law.
C Consent
Undermining the potential for open government data to achieve its purpose as a means to inform policy development, focus public investment and improve service delivery;[67] however, are concerns about whether sufficient protections for consent are afforded to individuals under data protection legislation. This is a particularly pertinent issue when considering the requisite level of consent required to be given to citizens about the collection, processing and use of their personal information. Data is collected by government departments daily in the course of people’s everyday lives. Citizens, by using and by extension agreeing to the terms of such services, consent to this form of data collection. For example, public transport patronage data is extracted from Opal cards tapping on and off different modes of transport across New South Wales and is used to inform the evidence base driving service improvements across the transport network.[68] The routine and sometimes unknowing sharing of personal data with government agencies, and in some cases corporations, may suggest that citizens are becoming more transparent and vulnerable to exposure, not the government using the information for a public purpose.[69]
The right to consent is essential at any stage of the acquisition, analysis and reuse phases of open government data.[70] One of the core limitations on open government data achieving the principles of open government is the that the creation of transparency often lags behind social, political or legal expectations. Some scholars advocate for a ‘transparency-by-design’ cycle to be developed, which is a product of systems and processes to ensure that transparency is achieved throughout the open data process.[71] Consent comes into this equation by ensuring individuals are aware of the types of data being collected and how it is processed and published. User awareness of when and where data is available has significant effects on determining whether the benefits of open government data can actually be realised.[72]
The increased use of open government data poses challenges on how consent works in practice. In Australia, the APPs have been formulated in a way that reflects how personal data travels within the information cycle.[73] In the EU, consent has been in the GDPR in three forms: presumed, informed and active.[74] A key drawback of Australian and European data protection laws is that protections based on informed consent are viewed as being inefficient when considering the broader purpose of open data and other forms of ‘ambient intelligence’.[75] This raises an interesting argument about whether privacy infringements for a public benefit resulting from a failure to obtain sufficient consent from citizens is ‘necessary’ for achieving the transparency function of open government data. This sets the foundation for a law reform debate which could be presented in one of two ways. The first relates to the effectiveness of notice given to citizens before the collection of personal information and whether it satisfies the agreed definition of ‘government transparency’ in current legal and political discourse. The second refers to whether the principles of transparency by design are appropriately adopted and adapted in the law in its current form. When considering the operation of data protection legislation in a conceptual sense, mandatory consent requirements can be viewed as a precondition for enhancing the public benefits of open government data,[76] including its transparency function.
D Responses to data protection breaches
The inevitable consequences of government departments collecting, processing and storing individuals’ data for a public purpose is the risk of such data becoming subject to a breach of data protection laws. Breaches may occur in the form of a contravention of some of the core principles and concepts discussed in the preceding sections of this paper. Data breach assessments form part of every investigation by a company or government agency controlling or processing personal information.[77] Because of this, it is essential for the law to provide adequate avenues for individuals and groups to pursue legal action in the event of a breach of their privacy occurring in the handling of open government data.
In Australia, amendments to the Privacy Act came into effect on 22 February 2018.[78] These amendments require certain entities, including government agencies,[79] to notify the Office of the Australian Information Commissioner of any data breaches that meet a stipulated criteria. This form of mandatory data breach legislation has been designed to protect individuals from types of harm arising from data breaches by imposing an obligation for individuals to be notified of data breaches when they occur.[80] However, its scope is criticised as being too narrow in terms of limiting the eligibility of individuals to be adequately protected,[81] which also extends to the protection (or lack thereof) afforded to a majority of businesses that could be subject to a data breach.[82] Further, the assessment process attached to the statutory data breach provisions rely on it to be reported by the subject entity within 30 calendar days following an assessment of the alleged breach.
Unlike Australia, requirements for the reporting of data breaches in the EU under the GDPR differ depending on who becomes aware of the data breach. Under the GDPR, provisions relating to the notification and reporting of data breaches do not quantify a required time period to report an alleged breach for assessment for processor reporting. Rather, the term ‘without undue delay’ is used in conjunction with ‘upon becoming aware of a data breach’.[83] This adds an element of subjectivity to the legal assessment, which may undermine the overarching intent of the regulation. For data controllers, this requirement is 72 hours, which is significantly lower than the Australian law equivalent.[84]
Providing citizens with opportunities to pursue breaches of data protection legislation can be regarded as a feedback mechanism, which is essential for the long term operability of ‘open’ systems of data and government.[85] At a broad level, data protection legislation is an important feature of contemporary legal systems as it safeguards citizens’ privacy and identity through the democratic process of passing legislation.[86] However, the changing relationship between governments and their constituents through the utilisation of open data platforms and the current approach to remedying data breaches is not an entirely effective means of achieving this purpose. This is inevitable due to the reactionary nature of law in responding to change, as well as an absence in a consistent methodology to specifically defining what constitutes a ‘serious’ harm or risk to an individual. Both the Australian and European laws governing data breach notification requirements place an onus on agencies to notify individuals of potential breaches, which is an important consideration when observing the extent to which laws limit the transparency functions of open government data. In this regard, mandatory breach disclosure can only enhance the transparency function of governments operating open data portals if they are transparent in their disclosure. Statutory provisions to this effect establish a minimum level of disclosure, but in conjunction with interpretational ambiguities relating to what is ‘harm’ or ‘personal’ may discredit the ability of the law to meet ‘full transparency’[87] in the notification of data breaches.
VI CONCLUSION
Many studies have analysed the benefits of government departments using open data and its increasing presence in contemporary governance models. It is a mechanism ensuring that governments can be held accountable for their actions by enabling citizens to access information about the actions undertaken agencies and individuals representing them.[88] However, there are also increasing concerns that the perception of open government data providing information about ‘the world we live in’ is actually masked as the ability for governments to release personal information about their citizens without proper consent.[89] This essay begins to unpack the need to balance data protection and government transparency in the context of open government data, noting the potential risks of prioritising one over the other. As government agencies obtain information about various aspects of citizens’ lives, the acceptability of such risks ultimately depends on the nature and types of information being collected, processed and made publicly available. [90]
While data protection laws in Australia and Europe have begun responding to concerns about the integrity of individuals’ data and its management by government entities, there are inevitable consequences about the effects of such laws on the transparency function of open government data. These effects are unavoidable due to the established legislative provisions regulating data protection and the enshrined right to privacy stipulated in human rights instruments. In their current, albeit reactionary form, Australian and European laws have begun addressing some key issues such as data de-identification, consent and managing data breaches. This essay found that current laws acceptably protect individuals at a general level, but need to consider protection at a community level, as well as the enforcement and robustness of available remedies. At present, it is difficult to justify whether these laws limit the transparency function of all open government data based on the breadth of information that can be made available on government-operated open data portals. This conclusion may lead to more uncertainty based on the need for case-by-case consideration of possible impacts on particular aspects of open government data.
[1] Clare Coffey, ‘Good Governance and the Common Fisheries Policy: An Environmental Perspective’, Institute for European Environmental Policy (Web Page, 2003) <http://jncc.defra.gov.uk/pdf/Good_goverance2.pdf> 2.
[2] Margaret Jackson, Hughes on Data Protection in Australia (Lawbook Co, 2nd ed, 2001), 1.
[3] Nigel Shadbolt et al, ‘Linked Open Government Data: Lessons from Data.gov.uk’ (2012) 27(3) IEEE Intelligent Systems 16, 17.
[4] Kieron O’Hara, ‘Transparency, Open Data and Trust in Government: Shaping the Infosphere’ (Conference Paper, ACM Web Science Conference, 22–24 June 2012) 226.
[5] Bastiaan van Loenen et al, ‘Open Data Exposed’ in Bastiaan van Loenen et al (eds), Open Data Exposed (TMC Asser Press, 2018) 1, 3.
[6] Ibid.
[7] Productivity Commission, Data Availability and Use (Issues Paper, 18 April 2016) 4.
[8] Neeta Verma and MP Gupta, ‘Challenges in Publishing Open Government Data: A Study in Indian Context’ (Conference Paper, International Conference on Electronic Governance and Open Society: Challenges in Eurasia, 24–25 November 2015) 1.
[9] Stefan Kulk and Bastiaan van Loenen, ‘Brave New Open Data World?’ (2012) 7(1) International Journal of Spatial Data Infrastructures Research 196, 197–8.
[11] Ibid.
[12] Federico Morando, ‘Legal Interoperability: Making Open (Government) Data Compatible with Businesses and Communities’ (2013) 4(1) Journal of Law, Information and Science 441, 443.
[13] Kulk and Van Loenen (n 9) 196.
[14] Marijn Janssen, Yannis Charalabidis and Anneke Zuiderwijk, ‘Benefits, Adoption Barriers and Myths of Open Data and Open Government’ (2012) 29(4) Information Systems Management 258, 258.
[15] Ibid 259.
[16] Gerrit Hornung and Christoph Schnabel, ‘Data Protection in Germany I: The Population Census Decision and the Right to Informational Self-determination’ (2009) 25(1) Computer Law & Security Review 84, 85.
[17] Janssen, Charalabidis and Zuiderwijk (n 14) 265.
[18] Katleen Janssen, ‘The Influence of the PSI Directive on Open Government Data: An Overview of Recent Developments’ (2011) 28(4) Government Information Quarterly 446.
[19] Frederik Zuiderveen Borgeisus, Jonathan Gray and Mireille van Eechoud, ‘Open Data, Privacy, and Fair Information Principles: Towards a Balancing Framework’ (2016) 30(3) Berkeley Technology Law Journal 2073.
[20] Hornung and Schnabel (n 16).
[21] Ibid 85.
[22] Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC [2016] OJ L 119 (‘General Data Protection Regulation’).
[23] Victoria Park Racing & Recreation Grounds Co Ltd [1937] HCA 45; (1937) 58 CLR 479, 496.
[24] Privacy Act 1988 (Cth) (‘Privacy Act’).
[25] Electronic Frontiers Australia, ‘Data Protection Laws/Privacy Acts’, Electronic Frontiers Australia (Web Page, 21 January 2006) <https://www.efa.org.au/Issues/Privacy/privacy.html#stpa>.
[26] Privacy Act (n 24) pt III, sch 1.
[27] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 2 (‘Privacy Amendment (Notifiable Data Breaches) Act’).
[28] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (Report No 108, vol. 2, May 2008) 1515.
[29] Christina Tikkinen-Piri, Anna Rohunen and Jouni Markkula, ‘EU General Data Protection Regulation: Changes and Implications for Personal Data Collecting Companies’ (2018) 34(1) Computer Law & Security Review 134, 134.
[30] Tijmen Wisman, ‘Privacy, Data Protection and E-Commerce’ in Arno R Lodder and Andrew D Murray (eds), EU Regulation of E-Commerce: A Commentary (Edward Elgar Publishing, 2017) 349, 350.
[31] Charter of the Fundamental Rights of the European Union, signed 7 December 2000, 2000/C 364/01 (entered into force 1 December 2009) art 8.
[32] General Data Protection Regulation (n 22) art 3.
[33] Universal Declaration of Human Rights, GA Res 217A (III), UN GAOR, UN Doc A810 (10 December 1948) art 12; International Covenant on Civil and Political Rights, GA Res 2200A (XXI), UN GAOR (16 December 1966, entered into force 23 March 1976) art 17.
[34] William L. Prosser, ‘Privacy’ (1960) 48(3) California Law Review 383, 389.
[35] David Richards, ‘Unnatural Acts and the Constitutional Right to Privacy: A Moral Theory’ [1976– 77] (45) Fordham Law Review 1281, 1302.
[36] Lorenzo Dalla Corte, ‘The European Right to Data Protection in Relation to Open Data’ in Bastiaan van Loenen et al (eds), Open Data Exposed (TMC Asser Press, 2018) 127, 127.
[38] Jules Polonetsky and Omer Tene, ‘Privacy and Big Data: Making Ends Meet’ [2013] (66) Stanford Law Review 25, 25.
[39] Luciano Floridi, ‘Open Data, Data Protection and Group Privacy’ (2014) 27(1) Philosophy & Technology 1, 2.
[41] See Privacy Act (n 24) sch 1.
[42] Productivity Commission, Data Availability and Use (Issues Paper, 18 April 2016) 24.
[43] Marijn Janssen and Jeroen van den Hoven, ‘Big and Open Linked Data (BOLD) in Government: A Challenge to Transparency and Privacy?’ (2015) 4(32) Government Information Quarterly 363, 364.
[44] Janssen, Charalabidis and Zuiderwijk (n 14) 260–1.
[45] Marijn Janssen et al, ‘Transparency-by-design as a Foundation for Open Government’ (2017) 11(1) Transforming Government: People, Process and Policy 2, 4.
[46] Amanda Lo, ‘The Right to Privacy in the age of Big Data and Open Data’, Australian Human Rights Institute (Web Page, 13 August 2018) <https://www.humanrights.unsw.edu.au/news/right-privacy-age-big-data-and-open-data>.
[47] Matthew S Mayernik, ‘Open Data: Accountability and Transparency’ (2017) 4(2) Big Data & Society 1, 2.
[48] Ibid.
[49] Sébastien Martin et al, ‘Open Data: Barriers, Risks and Opportunities’ (Conference Paper, European Conference on eGovernment, 13–14 June 2013) 303.
[52] Ibid.
[53] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/95.
[54] Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, ETS 108 (entered into force 1 October 1985).
[55] Kulk and Van Loenen (n 9) 199.
[56] Ibid 200.
[57] Ibid 202.
[58] Dalal Al-Azizy et al, ‘A Literature Survey and Classifications on Data Deanonymisation’ (Conference Paper, International Conference on Risks and Security of Internet and Systems, 20–22 July 2015) 38.
[61] Kulk and Van Loenen (n 9) 201.
[62] Al-Azizy et al (n 58) 45.
[63] Frederik Zuiderveen Borgeisus, Jonathan Gray and Mireille van Eechoud, ‘Open Data, Privacy, and Fair Information Principles: Towards a Balancing Framework’ (2016) 30(3) Berkeley Technology Law Journal 2073, 2073.
[64] Privacy Act (n 24) s 6(1).
[65] Mireille Hildebrandt and Bert-Jaap Koops, ‘The Challenges of Ambient Law and Legal Protection in the Profiling Era’ (2010) 73(3) The Modern Law Review 428, 433.
[66] Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016 (Cth) 3.
[67] Janssen, Charalabidis and Zuiderwijk (n 14) 258.
[68] Transport for NSW, Data and Research (Web Page, 2019) <https://www.transport.nsw.gov.au/data-and-research>.
[70] Karolis Granickas, ‘Ethical and Responsible Use of Open Government Data’ (European Public Sector Information Platform Topic Report No 2, February 2015) 9 <https://www.europeandataportal.eu/sites/default/files/2015_ethical_and_responsible_use_of_open_government_data.pdf>.
[72] Janssen, Charalabidis and Zuiderwijk (n 14) 265.
[73] Office of the Australian Information Commissioner, ‘Guide to Big Data and the Australian Privacy Principles’ (Draft Consultation Paper, May 2016) 6.
[74] Eoin Carolan, ‘The Continuing Problems with Online Consent under the EU’s Emerging Data Protection Principles’ (2016) 32(3) Computer Law & Security Review 462, 462.
[75] Hildebrandt and Koops (n 65) 442.
[76] Ibid 436.
[77] Nick Ismail, ‘GDPR vs Australian Data Privacy Regulations: 5 Key Differences’ Information Age (Web Page, 5 March 2018) <https://www.information-age.com/gdpr-aus-data-privacy-regulations-123471003/>.
[78] Privacy Amendment (Notifiable Data Breaches) Act (n 27).
[79] See Privacy Act (n 24) s 26WB.
[80] Commonwealth, Parliamentary Debates, House of Representatives, 19 October 2016, 2430 (Michael Keenan).
[81] Jessica Chapman, ‘Using Blockchain to Address the Limitations of the Australian Mandatory Data Breach Notification Law’ [2019] (1) UNSW Law Journal Student Series <http://classic.austlii.edu.au/au/journals/UNSWLawJlStuS/2019/1.html>.
[82] Katharine Kemp and David Vaile, ‘Soft Terms Like ‘Open’ and ‘Sharing’ Don’t Tell the True Story of Your Data’, The Conversation (Web Page, 1 May 2018) <https://theconversation.com/soft-terms-like-open-and-sharing-dont-tell-the-true-story-of-your-data-95521>.
[84] Ibid.
[85] Janssen, Charalabidis and Zuiderwijk (n 14) 259.
[86] Hildebrandt and Koops (n 65) 445.
[87] Fabio Bisogni, ‘Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?’ (2016) 6 Journal of Information Policy 154, 177.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2019/9.html