'Citizen or consumer? Contrasting Australia and Europe’s data protection policies' by James Meese, Punit Jagasia and
James Arvanitakis in (2019) 8(2)
Internet Policy Review examines
how data access and transfer rights are conceptualised in the European Union and Australia. The study discusses the planned introduction of a Consumer Data Right (CDR) to Australia and contrasts it to comparable developments in European law. We then assess the broader reform moments around data (which these various data access and transfer rights form a part of), that have occurred in each jurisdiction. The paper shows that Europe has placed an increasing value on protecting the fundamental rights of citizens, whereas Australia has taken a more neoliberal approach to data, only granting individuals rights in the context of the market.
The authors argue
Governments are becoming increasingly concerned about widespread corporate data collection and the information asymmetries produced through these practices. People provide their personal data in exchange for various free services, from social media platforms to fitness apps (see Andrejevic, 2014), allowing companies to gather detailed information across their customer base. However, individuals have little to no knowledge about how their data is collected, used, stored, managed or handled. In addition to concerns around the collection of personal information, the growing importance of data as an economic good has also made legislators uneasy, with many citing ‘competition’ as a reason for regulation (Esayas and Daly, 2018). There is a fear that consumers could be ‘locked in’ to particular commercial arrangements if they are unable to transfer their valuable data to a competitor (Frieden, 2017; also see Esayas and Daly, 2018). In response, numerous jurisdictions have attempted to intervene in this state of affairs by engaging in legislative reform, with the European Union’s General Data Protection Directive (GDPR) standing as the most prominent example.
The initial interest of this paper is to investigate how this reform moment has increased the visibility data access and portability provisions, through a comparative study of recent reform agendas in the European Union (EU) and Australia. This analysis compares the Australian CDR reform process to the GDPR, which features a right to access data (art. 15, GDPR) and data portability (art. 20, GDPR), and data access and portability rights found in other European legislative instruments. The most prominent of these is the reformed payment services directive (PSD 2), which allows individuals and third parties to access certain banking data. At the outset, it is important to note that all of these legislative instruments have different aims. The GDPR is a regulatory framework that covers the entire European Union. It grants new rights to individuals, represents a substantial strengthening of the Data Protection Directive (1995), which it replaces (in terms of scope and enforcement, for example) and also purports to regulate algorithms (or, in the regulation’s terms, “automated decision making”, Art. 22). In contrast, PSD 2 requires banks to “provide access and […] communicate, to authorized third parties, customer and payment account information” (Omarini, 2018, p. 28), providing a framework for Open Banking in Europe. Similar directives in other sectors also empower data transfers in certain situations (see Esayas and Daly, 2018). The CDR is similar to these sector-specific directives but operates on a broader scale. It introduces a general framework that gives Australians the power to ask companies that hold data to transfer all or some of that data to a third party, which can be another company in the same sector or an adjacent business. It will be introduced on a sector by sector basis (see Explanatory Memorandum, 2018).
However, this paper also extends this initial analysis and argues that the CDR is indicative of a broader conceptual divergence that places Australia at odds with Europe (despite the fact that the CDR introduces some European ‘elements’ into Australian law). We pursue this argument by exploring the rhetoric around the CDR, showing how politicians and policymakers have presented the right as a solution to the problem of information asymmetry. We compare this stance to the introduction of the GDPR, which saw Europe transition from a market-oriented data protection framework to one that embraced fundamental rights and freedoms (Hijmans, 2010; 2016). We argue that these different reform moments have resulted in two separate conceptual approaches to data, with Europe increasingly focused on fundamental rights and citizenship and Australia focused on the consumer and the market. We go on to suggest that Australia needs to develop a broader conceptual foundation for its data policies and move beyond questions of economic value and efficiency to meaningfully engage with fundamental rights and embrace stronger enforcement regimes in line with existing European policy.
We also note that while existing research has already contrasted the policy proposal for the CDR with European law (Esayas and Daly, 2018), this paper analyses what is likely to be the final legislated version of the right. The Australian Coalition (centre-right) government has been a strong advocate for the CDR and supported policy development around the right throughout the 45th Parliament (2016 – 2019). Legislation was tabled in late 2018 and a subsequent Senate (upper house) Committee recommended that the bill be passed unamended. The bill did not pass parliament before it was dissolved in preparation for a May 2019 election. However the Coalition returned to power and as a result, while minor amendments may still be made the substance of the legislation examined in this article (in the form of an exposure draft) is likely to be passed. The launch of the Consumer Data Right is likely to go ahead as planned on 1 February 2020. In addition to legislation, we have also consulted public documentation and commentary to analyse the scope and purpose of the CDR.
The paper proceeds as follows. We begin by briefly discussing the different legal philosophies that influence each jurisdiction’s approach to data protection. Then we introduce the CDR and compare its operation to European data access and transfer regimes. Following this, we critique the rhetoric around the right that either promotes an equivalence to the ‘European’ approach to data or holds up the Australian approach as superior. Finally, we compare the separate reform trajectories in both jurisdictions and suggest that the CDR is an example of Australia’s broader economic approach to data and the issue of information asymmetry, which stands in stark contrast to Europe’s growing commitment to fundamental rights as part of its overarching data protection framework.
