06 October 2018

Director Identification Numbers

The Commonwealth Registers Bill 2018 (Cth) and Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2018 (Cth) package noted in the preceding post covers introduction of a pervasive director identification number (DIN) regime.

We can construe the DINs as an extension of the existing uniform identifier regime that includes the ubiquitous Fax File Number (TFN) tagging most adult Australians.

The Explanatory Memo states
Schedule 2 of the Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2018 amends the Corporations Act and the Corporations (Aboriginal and Torres Strait Islander) Act 2006 (CATSI Act) to introduce a director identification number (DIN) requirement. 
It sets out:
• the persons to which the new requirement applies; 
• the obligations associated with the new requirement; 
• how the new requirement is administered; and 
• the consequences of contravening the new law. 
Context of amendments 
2.2 Phoenixing occurs when the controllers of a company deliberately avoid paying liabilities by shutting down an indebted company and transferring its assets to another company. This impacts on creditors who fail to receive payments for goods and services, employees through lost wages and/or superannuation entitlements and the general public through lost revenue to the Government. The total cost of phoenixing to the Australian economy is estimated to be between $2.9 billion and $5.1 billion annually. 
2.3 The Commonwealth Government currently has a number of initiatives underway to deter and penalise phoenix activity in order to protect those who are negatively affected by such fraudulent behaviour. One initiative is the introduction of a DIN, which the Government announced on 12 September 2017. 
2.4 The DIN will require all directors to confirm their identity and it will be a unique identifier for each person who consents to being a director. The person will keep that unique identifier even if their directorship with a particular company ceases. As such, the DIN will provide traceability of a director’s relationships across companies, enabling better tracking of directors of failed companies and will prevent the use of fictitious identities. This will assist regulators and external administrators to investigate a director’s involvement in what may be repeated unlawful activity including illegal phoenix activity. 
2.5 To date, although the law has required that directors’ details be lodged with ASIC, it has not required the regulator to verify the identity of directors. This verification aspect of the DIN will improve the integrity of the data and help with enforcement action associated with phoenixing. 
2.6 The new DIN regime will also offer benefits beyond combating phoenixing. For instance, simpler more effective tracking of directors and their corporate history will reduce time and cost for administrators and liquidators, thereby improving the efficiency of the insolvency process. In addition, the new regime will improve data integrity and security, including by allowing directors to be identified by a number rather than by other more personally identifiable information such as their name and address. 
2.7 The introduction of a DIN was recommended by the Productivity Commission in its September 2015 final report into Business Set-up, Transfer and Closure. In the report, the Productivity Commission noted its confidence that the introduction of a DIN would likely be of significant net benefit to the community as a whole. 
Summary of new law 
2.8 The new law amends the Corporations Act and the CATSI Act to introduce a DIN requirement. The new requirement assists regulators to better detect, deter and disrupt phoenixing and improves the integrity of corporate data maintained by the registrar. 
2.9 Under the new requirement a person appointed as a director of a body corporate registered under the Corporations Act or the CATSI Act must apply to the registrar for a DIN. The person has 28 days to apply from the date they are appointed a director unless they are provided an exemption or extension by the registrar. After receiving an application, the registrar must provide the director with a DIN if the registrar is satisfied that the director’s identity has been established. 
2.10 The registrar is provided with powers to administer the new requirement. These include powers to: issue DINs; keep necessary records; cancel and reissue DINs; determine the numbering plan for the new requirement; and, determine how directors are to establish their identity. The registrar may make data standards, by way of legislative instrument, in relation to these and other matters. 
2.11 There are civil and criminal penalties for directors that fail to apply for a DIN within the applicable timeframe. The registrar, or a senior member of its staff, may also issue infringement notices in relation to such conduct. There are also civil and criminal penalties which apply to conduct that would otherwise undermine the new DIN requirement. For example, there are criminal penalties for deliberately providing false identity information to the registrar, intentionally providing a false DIN to a Government body or relevant body corporate, and intentionally applying for multiple DINs.

Consolidating the Australian Business Registers

The Treasury is consulting regarding proposals for major consolidation of Australian business registry operations, data standards and establishment of a Director Identification Number (DIN) regime to inhibit practice such as phoenixing and tax evasion. It follows the 2017 and 2015 Productivity Commission reports on Data Availability and Business Set-Up.

The Commonwealth Registers Bill 2018 (Cth) and Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2018 (Cth) provide for a new Act called the Commonwealth Registers Act 2018, with amendments to a suite of existing laws to create a new Commonwealth business registry regime.

The two Bills set out
 •what information is subject to the new regime; 
• who may be appointed to administer the new regime as its registrar; 
• the functions and powers of the registrar; 
• how the registrar performs its functions and exercises its powers; 
• the framework for protecting and disclosing information held by the registrar; and 
• other matters that support the new regime. 
They also provide for a new Director Identification Number regime, discussed in the following post.

In relation to registries the Explanatory Memo states
1.2 The Australian Government has committed to simplifying its interactions with business to support growth, innovation and employment. 
1.3 The National Business Simplification Initiative, announced in 2016, aims to reduce the time that businesses spend complying with regulations and interacting with government so that they can focus on growing their business, creating more jobs, and developing new products and market opportunities. The Initiative is a Commonwealth led agreement between federal, state and territory governments to work together to make it simpler to do business in Australia. 
1.4 As part of the Initiative, the Government is developing a modern approach to managing Commonwealth registers to provide more user-friendly and streamlined registry services. The initial focus of this modernisation process is on the registers kept by ASIC as well as the Australian Business Register, which is kept by the Commissioner of Taxation (Commissioner).  
1.5 The new law facilitates a modern government registry regime that is flexible, technology neutral and governance neutral. The regime initially applies to the business registers administered by ASIC and the Australian Business Register. Additional government registers may be brought into the regime by future legislative reforms. 
1.6 Under the new regime the Minister appoints an existing Commonwealth body to be the registrar. Different registrars can be appointed for different functions or powers of the registrar. 
1.7 The functions and powers of the registrar are largely set out in existing Commonwealth laws. In particular, most powers and functions are set out in the Commonwealth acts that contain the registers being brought into the new regime. These acts include the:
Corporations Act
the ABN Act
the Business Names Act
the Credit Act; and, 
the SIS Act
1.8 The registrar performs its functions and exercises its powers in accordance with the data standards and other Commonwealth laws. The data standards are disallowable instruments made by the registrar. They may deal with a variety of matters including what information may be collected for the purposes of performing the registrar’s functions, how such information is to be given to the registrar, and how information held by the registrar is to be stored. 
1.9 The new law provides for the protection and disclosure of information held by the registrar. It is an offence for an official to disclose information held by the registrar unless the disclosure is authorised. A disclosure is authorised where: it is for the purposes of the new registry regime; it happens in the course of the performance of an official’s duties; each person to whom the information relates consents to the disclosure; the information is disclosed to a government agency for the performance of its functions; or, the benefits associated with the disclosure outweigh the risks (including privacy risks) after those risks have been mitigated. 
1.10 All decisions made by the registrar under the new Act are reviewable by the Administrative Appeals Tribunal except those made by disallowable instrument.
Overall, the legislative package creates the new Act and makes consequential amendments to a suite of existing laws to create a new Commonwealth business registry regime.
It sets out:
• what information is subject to new regime; 
• who may be appointed to administer the new regime as its registrar; 
• the functions and powers of the registrar; 
• how the registrar performs its functions and exercises its powers; 
• the framework for protecting and disclosing information held by the registrar; and • other matters that support the new regime. 
1.12 The objective of the new regime is to facilitate a modern government registry regime that is flexible, technology neutral and governance neutral. The new Act includes a simplified outline of its contents to assist readers understand the new regime. 
What information is subject to the new regime? 
1.13 Initially, information related to 35 existing business registers would be subject to the new registry regime. The existing business registers comprise 34 registers currently kept by ASIC and the Australian Business Register, which is currently kept by the Commissioner.
The new Registrar is of particular interest. The Memo states
How does the registrar perform its functions and powers? 
1.29 The registrar performs its functions and powers in accordance with the data standards and other Commonwealth laws. 
Data standards 
1.30 The new law allows the registrar to make data standards on matters relating to the performance of the registrar’s functions and the exercise of the registrar’s powers. The data standards may deal with a variety of registry related matters that are currently dealt with by prescriptive rules in primary legislation that are not uniform, technology neutral or governance neutral. 
1.31 To assist readers to understand the role of the data standards, the new Act provides examples of what the data standards may cover. These examples clarify that the data standards may provide for matters such as the following:
• what information may be collected for the purposes of the performance of the registrar’s functions and the exercise of the registrar’s powers; 
• how such information may be collected; 
• the manner and form in which such information is given to the registrar; 
• when information is to be given to the registrar 
• how information held by the registrar is to be authenticated, verified or validated; 
• how information held by the registrar is to be stored; • the correction of information held by the registrar; 
• the manner and form of communication between the registrar and persons who give information to the registrar or seek to access to information held by the registrar; and; 
• integrating or linking information held by the registrar. 
1.32 These examples are just an inclusive list of the matters that may be dealt with by the data standards. Their inclusion in the new Act is not intended to limit the matters that may properly be dealt with by the data standards. 
1.33 The new Act clarifies that the data standards may include different provisions relating to different functions or powers of the registrar. This ensures that the data standards do not need to adopt a ‘one size fits all’ approach to the administration of registry functions and powers. The variety of functions and powers given to the registrar necessitates that the registrar be able to tailor data standards so that they are appropriate for the different purposes for which they may be made. 
1.34 This approach of enabling the registrar to make data standards facilitates the efficient and effective administration of registry services. Data standards can be readily amended over time to keep up with changes in best practice, industry preference, the needs of those using registry services, and technology. The flexibility offered also enables a ‘tell us once’ approach to the collection of information, minimising the number of interactions clients have with the registrar. Currently, a reporting entity may have to provide the same information to multiple registers increasing regulatory burden and the cost of administering registry services. 
1.35 To ensure these benefits can be realised the new law includes provisions that ensure the data standards may request information in a wide variety of ways that make best use of available technology. In particular, the new law expressly clarifies that: • the data standards may provide that information is to be given to the registrar in electronic form, or any other specified form; and, • a requirement under a law that information is to be provided to the registrar in a particular form or manner (however described), including a requirement that information is to be “lodged” or “furnished”, is not taken to restrict by implication what the data standards may provide in relation to that information. 
1.36 The new law includes provisions designed to promote the smooth transition of registry functions and powers from one registrar to another. As already noted, under the new regime the Minister may appoint any government body as registrar for particular functions and powers and may change the appointed body at any time. Should the body appointed as registrar for particular functions and powers change, the new law provides that any existing data standards continue to apply until the new registrar has prepared replacement standards. 
1.37 Data standards are disallowable instruments for the purposes of the Legislation Act 2003. Under that Act, legislative instruments and their explanatory statements must be tabled in both Houses of the Parliament within six sitting days after the date of registration of the instrument on the Federal Register of Legislation. Once tabled, the instruments will be subject to the same level of parliamentary scrutiny as regulations (including consideration by the Senate Standing Committee on Regulations and Ordinances), and notice of a motion to disallow the instruments may be given in either House of the Parliament within 15 sitting days after the date the instruments are tabled.
From an information management (including data protection and privacy) perspective the Memo notes
How is information held by the registrar protected and disclosed? 
1.41 The new law provides for the protection and disclosure of information held by the registrar, including disclosure via a disclosure framework made by the registrar. 
Protection of registry information 
1.42 It is an offence for an official to record or disclose information held by the registrar unless the recording or disclosure is authorised. In particular, unless authorised, a person commits an offence if:
• the person is, or has been, in official employment ; 
• the person makes a record of information, or discloses information to another person; and 
• the information is protected information that was obtained by the person in the course of their official employment. 
1.43 The maximum penalty for disclosing registry information in breach of this offence provision is imprisonment for two years. The penalty is consistent with comparable provisions in other Acts, including the ASIC Act , the ABN Act and the Taxation Administration Act 1953. The principles set out in the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers were also considered in determining the applicable penalty. 
Disclosure of registry information 
1.44 As mentioned above, the prohibition against recording and disclosing registry information does not apply where the recording or disclosure is authorised. A recording or disclosure is authorised if:
• the recording or disclosure is for the purposes of the new Act or happens in the course of the performance of the duties of a person’s official employment; 
• the disclosure is to another person for use, in the course of the performance of the duties of the other person’s official employment, in relation to the performance of the functions of a government entity ; 
• each person to whom the information relates consents to the disclosure; or 
• the disclosure is in accordance with the disclosure framework. 
1.45 A defendant carries an evidential burden for establishing that a recording or disclosure of registry information was authorised. To satisfy this eventual burden the defendant must adduce or point to evidence that suggests a reasonable possibility that the recording or disclosure was authorised. Once this is done, the prosecution bears the burden of proof. 
1.46 The new law expressly authorises disclosure to a government entity in relation to the performance or exercise of its functions or powers. The intent of this authorisation is to, for example, ensure ASIC has real-time access to all the registry information it requires in order to exercise its regulatory functions or powers. 
1.47 The new law clarifies how its protection and disclosure regime relates to other secrecy provisions in Commonwealth law. The effect of the new law is that other Commonwealth secrecy provisions do not apply in addition to the new law’s protection and disclosure regime unless expressly designated. The following secrecy provisions have been designated for this purpose:
• sections 18, 18A, 18B and 92 of the Australian Security Intelligence Organisation Act 1979
• section 34 of the Inspector-General of Intelligence and Security Act 1986
• sections 39, 39A, 40, 40A to 40M and 41 of the Intelligence Services Act 2001
• a provision of a law of the Commonwealth prescribed by the rules; 
• a provision of a law of the Commonwealth of a kind prescribed by the rules; and, 
• section 8WB of the Taxation Administration Act 1953 (which contains special rules relating to the disclosure of tax file numbers) . 
1.48 The intent of the new law in this regard is to avoid unnecessary overlap in the operation of secrecy provisions in relation to registry information. It is not optimal for multiple secrecy provisions to unnecessarily apply to the same piece of information. For example, the Productivity Commission identified over 500 different secrecy provisions and found that they often interacted in a way that leads to undesirable complexity, resulting in unnecessary barriers to data access that stifles socially beneficial activities. 
1.49 Similarly, the new regime’s disclosure framework is expressly authorised for the purposes of paragraph 6.2(b) of the Privacy Act 1988. Paragraph 6.2(b) of the Privacy Act 1988 allows disclosure of personal information where it is authorised by an Australian law. As the new disclosure framework is such an Australian law, this provision simply clarifies the operation of the current law. 
1.50 The new regime exempts a person from being required to provide registry information to a court except where the disclosure is necessary for giving effect to a taxation law or an Australian business law. What constitutes a taxation law is defined in section 995-1 of the Income Tax Assessment Act 1997 to include: a provision of an Act for which the Commissioner has general administration; legislative instruments made under such a provision; or the Tax Agent Services Act 2009 or regulations made under that Act. The new law defines Australian business law to mean a law of the Commonwealth, or of a State or Territory, that is a law that regulates, or relates to the regulation of, business or persons engaged in business. This definition is based on the definition of ‘business law’ in section 3 of the Mutual Assistance in Business Regulation Act 1992.  
1.51 The new law in this respect is based on existing subsection 30(5) of the ABN Act, which is being repealed by the new law. That subsection currently exempts a person from having to provide protected documents or information (as defined in the ABN Act) to a court except where the proceedings relate to a taxation law. The provision guards against registry information being required to be produced for purposes unrelated to its collection. 
The disclosure framework 
1.52 The new law provides that the registrar may make the disclosure framework referred to in the final dot point of paragraph 1.44. Under the disclosure framework the registrar may authorise the disclosure of registry information where it is satisfied that the benefits of disclosure outweigh the risks, after those risks have been mitigated.  
1.53 The disclosure framework may provide for any matter related to the disclosure of registry information. For example, the disclosure framework may provide for matters such as:
• the circumstances in which information must not be disclosed without the consent of the person to whom it relates; 
• the circumstances in which de-identified information may be disclosed; 
• the circumstances in which information may be disclosed to the general public; 
• the circumstances in which confidentiality agreements are required for the disclosure of information; and 
• the imposition of conditions on disclosure of information. 
1.54 In addition, the new law clarifies that the disclosure framework may include different provisions relating to different functions or powers of the registrar. This ensures that the disclosure framework can be tailored to particular functions and powers of the registrar. 
1.55 This approach to disclosure aligns with the Productivity Commission’s 2017 recommendation to take a more principled approach to the release of Government data. In particular, the Commission recommended that Government data be able to be released publically where the benefits of the release outweigh the risks involved (including privacy risks) after those risks have been mitigated to the extent practicable. The intention of this recommendation was to capture the benefits of ‘big data’ while managing all risks of disclosure, not just those relating to personal information. 
1.56 It is envisaged that the ability to make a disclosure framework will provide the registrar with flexibility regarding the release of registry information. For example, the framework could allow a trusted user (for instance a university whose IT systems, processes and staff have been vetted) to access information that may not be appropriate for wider dissemination where a social benefit exists and appropriate undertakings are made. 
1.57 As is the case with respect to data standards, the new law includes provisions designed to promote the smooth transition of registry functions and powers from one registrar to another. Should the body appointed as registrar for particular functions and powers change, the new law provides that any existing disclosure framework continues to apply until the new registrar has prepared a replacement framework. 
1.58 The disclosure framework is a disallowable instrument for the purposes of the Legislation Act 2003. Under that Act, legislative instruments and their explanatory statements must be tabled in both Houses of the Parliament within six sitting days after the date of registration of the instrument on the Federal Register of Legislation. Once tabled, the instruments will be subject to the same level of parliamentary scrutiny as regulations (including consideration by the Senate Standing Committee on Regulations and Ordinances), and notice of a motion to disallow the instruments may be given in either House of the Parliament within 15 sitting days after the date the instruments are tabled. In addition to parliamentary oversight, the disclosure framework is subject to a privacy impact assessment under the Privacy Act 1988 and the consultation requirements contained in the Legislation Act 2003.  
1.59 The new law also allows a person to apply to the registrar to prevent an inappropriate disclosure of registry information that relates to them. The data standards may provide for how such applications are to be made and decided. However, where the registrar is satisfied that the disclosure is not appropriate, the disclosure is taken to not be in accordance with the disclosure framework. 

05 October 2018

CCTV Security and Privacy in Victoria

The Victorian Auditor General's report Security and Privacy of Surveillance Technologies in Public Places comments
 Local councils are using advances in surveillance technology legitimately to collect information about people’s daily activities. In parallel, they need to fulfil their responsibility to respect individuals’ right to privacy, by managing these systems well and in compliance with privacy requirements. 
Council’s CCTV surveillance systems fall into two main categories: Systems installed in public spaces for use by Victoria Police Systems installed in and around council facilities for use by council staff. In this audit, we assessed whether councils keep secure the information they collect from these CCTV surveillance systems and whether they protect the privacy of individuals. 
Specifically, we assessed the management and use of surveillance devices in public places by five councils to see whether they adhere to relevant privacy laws and appropriate use policies and whether they protect the information they collect from unauthorised disclosure. 
The councils we audited were: the
  • City of Melbourne 
  • Whitehorse City Council 
  • Hume City Council 
  • East Gippsland Shire Council 
  • Horsham Rural City Council.
Between them, these councils have more than 1 100 CCTV cameras and they are increasing their use of surveillance devices.
We made 11 recommendations—nine for all audited councils, one for Whitehorse City Council and one for Horsham Rural City Council.
The report states -
Across the public and private sectors, organisations use a range of technologies to observe or monitor individuals or groups, such as closed-circuit television (CCTV) surveillance systems. Some Victorian local councils, use CCTV for public safety and protecting council staff and assets. 
Councils' CCTV surveillance systems fall into two main categories: 
Public safety CCTV systems—councils install these systems to discourage and detect antisocial and criminal behaviour in public places. Victoria Police has direct access to monitor and review footage from these systems. The initial purchase costs are usually funded by grants from the state or Commonwealth governments, with councils funding ongoing maintenance and replacement costs.
Corporate CCTV systems—councils fund the installation of these systems and use them to monitor facilities that include public spaces, such as council offices, pools, libraries, performing arts centres and waste management facilities. These systems are typically managed onsite by council employees or contractors.
Surveillance systems in public places impact on the privacy of individuals, so it is important that councils can demonstrate to their communities that they are managing these systems well and in compliance with privacy requirements. If councils cannot demonstrate this, they risk losing public confidence. 
The Privacy and Data Protection Act 2014 (PDPA) sets out Information Privacy Principles that apply when public sector agencies, including councils, collect personal information that enables individuals to be identified, such as the images captured by CCTV systems. The Office of the Victorian Information Commissioner (OVIC), formerly the Commissioner for Privacy and Data Protection (CPDP), has a key role in implementing and supporting compliance with PDPA. Before OVIC was established, CPDP issued Guidelines to surveillance and privacy in the Victorian public sector in May 2017. We used this and other comprehensive guidance material on the use of CCTV in public places as criteria for our audit.
Local councils are using advances in surveillance technology legitimately to collect information about people's daily activities. In parallel, they need to fulfil their responsibility to respect individuals' right to privacy, by ensuring that the information from their surveillance devices is securely collected, stored and transmitted. The absence of community objections to surveillance in public places does not diminish this responsibility, and councils need to demonstrate organisational leadership through robust policies, strong management and controls, and effective oversight.
In this audit, we assessed whether councils keep secure the information they collect from their CCTV systems and whether they protect the privacy of individuals. Specifically, we assessed the management and use of surveillance devices in public places by five councils to see whether they adhere to relevant privacy laws and appropriate use policies, and whether they protect the information they collect from unauthorised disclosure.
The councils we audited were the City of Melbourne (Melbourne), Whitehorse City Council (Whitehorse), Hume City Council (Hume), East Gippsland Shire Council (East Gippsland) and Horsham Rural City Council (Horsham) . Between them, these councils have more than 1 100 CCTV cameras and they are increasing their use of surveillance devices.
Victoria Police was not included in our audit scope. However, as it is the key user of public safety CCTV systems, we examined council-owned CCTV systems in police stations and spoke to police officers involved in using these systems.
Conclusion
The councils we examined in this audit could not demonstrate that they are consistently meeting their commitments to the community to ensure the protection of private information collected through CCTV systems.
The audited councils advised that they have never found an incident of inappropriate use of surveillance systems or footage, and OVIC advised that it has never received a complaint about such use. However, given the weaknesses that we identified in security and access controls, and the lack of review of how CCTV systems are being used, the absence of evidence of inappropriate use of council CCTV doesn't provide strong assurance that no such incidents have occurred.
Gaps in councils' CCTV system signage, management and oversight mean the councils are unable to demonstrate that their CCTV activities adhere to the requirements of PDPA, including appropriate use and sufficient protection of the information collected from unauthorised disclosure. Where councils do undertake monitoring and assurance activities, they are largely restricted to public safety CCTV systems. This means that councils are not adequately scrutinising the operation and use of most of their CCTV systems.
Councils can improve the security of the personal information they gather through their CCTV systems to better protect the privacy of individuals.
Improving physical security and access controls will better enable councils to ensure that access to and use of these systems is appropriate and that the information collected from their surveillance activities in public places is protected from unauthorised disclosure. 
Findings 
Management and Oversight 
Except for Horsham, all the audited councils have a policy to guide their management of CCTV systems. However, in most cases, these policies focus on public safety CCTV systems, and councils do not have robust, documented operating procedures to support the sound management of their corporate CCTV systems.
Only East Gippsland could demonstrate that decisions to install new CCTV cameras in public places are informed by consideration of privacy impacts, and there was also only limited evidence of community consultation about new cameras at any of the councils. Apart from Melbourne, none of the councils have adequately used their agreements with Victoria Police to ensure proper oversight of and accountability for the use of public safety CCTV systems. The agreements between police and councils require the councils to establish a steering committee and an audit committee to oversee and review these systems. These oversight committees varied in their effectiveness—typically, they meet rarely and when they do they focus on operational issues such as camera location and functionality rather than privacy and data security.
Corporate CCTV systems arguably pose greater privacy and data security risks than public safety systems because they are dispersed across many locations and are subject to local operating practices that are not guided by robust procedures. Only Melbourne and East Gippsland had sufficient senior management involvement in the use of corporate CCTV systems, and none of the audited councils reported regularly on these systems.
In addition, none of the councils had formal committees or assurance processes to oversee the management and use of their corporate CCTV systems. As a result, senior management and councillors lack adequate assurance that their CCTV systems are managed appropriately.
Where formal monitoring and assurance activities do occur, they are largely restricted to public safety CCTV systems which typically make up 20 per cent or less of council CCTV systems. Councils do not routinely scrutinise the operation and use of their corporate CCTV systems. Regular reporting on key metrics for all corporate CCTV systems—such as the number of times council staff reviewed CCTV footage, saved or copied CCTV footage, and provided copies of footage to external parties—would make senior management aware of these surveillance activities, support a culture of appropriate use, and promote more active management.
Melbourne and East Gippsland are the only councils to provide regular public reporting on the use and management of their CCTV systems. However, even these councils report only on public safety CCTV systems rather than all their CCTV systems. 
Privacy and Data Security
It is positive that the audited councils have not found any instances of inappropriate use of surveillance systems or footage. We found that councils have good awareness of the privacy issues associated with the use of CCTV systems.
However, all five councils can improve the security of the personal information they gather through their CCTV systems to better protect the privacy of individuals. Key areas to address include improving physical security and access controls for corporate CCTV systems and regularly assessing whether those controls are working.
All of the audited councils use generic user logins for corporate CCTV systems, and some do not use system activity logs to track usage. These practices increase the risk of inappropriate use occurring and going undetected. There are similar issues with public safety CCTV systems.
Improving physical security and access controls will better enable the councils to protect information collected from council surveillance activity from unauthorised disclosure.
In addition, we found at least one site at each council where they operate CCTV in public spaces without adequate public signage. 
Recommendations 
We recommend that the City of Melbourne, Whitehorse City Council, Hume City Council, East Gippsland Shire Council and Horsham Rural City Council:
1. review and update their CCTV policies to address the requirements of the Privacy and Data Protection Act 2014 (see Section 2.2) 
2. assess all CCTV systems installed prior to the approval of a CCTV policy to ensure they comply with the policy (see Section 2.2) 
3. assess the privacy impacts of proposals to install new or additional CCTV surveillance devices in public places (see Section 2.3) 
4. develop site-specific operating procedures for their corporate CCTV systems to reflect the requirements of the Privacy and Data Protection Act 2014 and their policies (see Section 2.2) 
5. allocate responsibility for overseeing the operation of CCTV systems to an appropriate senior manager and implement regular reporting on key aspects of CCTV system use (see Section 2.4)
6. include a periodic audit of CCTV system use and data security in their forward internal audit programs (see Section 2.7)
7. review and update the content and position of all signage in locations with corporate CCTV systems to reflect better practice (see Section 3.2) 
8. review and address access control and data security weaknesses for corporate CCTV systems (see Section 3.3) 
9. ensure regular audits and evaluations of public safety CCTV systems and hold the oversight committees for these systems to account for meeting their responsibilities under agreements with Victoria Police (see Sections 2.5 and 2.6).
We recommend that the Horsham Rural City Council:\ 
10. establish and implement a policy to cover all council CCTV systems (see Section 2.2). 
We recommend that the Whitehorse City Council:
11. establish an agreement with Victoria Police for the public safety CCTV system at the Box Hill mall and laneways (see Section 2.5). 
Responses to recommendations 
We have consulted with the Melbourne, Whitehorse, Hume, East Gippsland and Horsham councils, and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions or comments. We also provided a copy of the report to the Department of Premier and Cabinet. The following is a summary of those responses. 
The full responses are included in Appendix A.
All councils accepted the recommendations.
Melbourne, East Gippsland and Horsham provided action plans noting their intended actions and timelines for addressing each recommendation. Whitehorse and Hume did not provide an action plan addressing each specific recommendation but provided information on how they will approach addressing the audit recommendations and the timelines for this work.are

03 October 2018

AI and the Workforce

Yet another report on AI and employment.

The Royal Society's The impact of artificial intelligence on work An evidence synthesis on implications for individuals, communities, and societies paper comments
Artificial intelligence (AI) technologies are developing apace, with many potential benefits for economies, societies, communities and individuals. Across sectors, AI technologies offer the promise of boosting productivity and creating new products and services. Realising their potential requires achieving these benefits as widely as possible, as swiftly as possible, and with as smooth a transition as possible.
The potential of AI to drive change in many employment sectors has revived concerns over automation and the future of work. While much of the public and policy debates on AI and work have tended to oscillate between fears of the ‘end of work’ and reassurances that little will change in terms of overall employment, evidence suggests neither of these extremes is likely. However, there is consensus that AI will have a disruptive effect on work, with some jobs being lost, others being created, and others changing.
There are many different perspectives on ‘automatability’, with a broad consensus that current AI technologies are best suited to ‘routine’ tasks, albeit tasks that may include complex processes, while humans are more likely to remain dominant in unpredictable environments, or in spheres that require significant social intelligence.
Over the last five years, there have been many projections of the numbers of jobs likely to be lost, gained, or changed by AI technologies, with varying outcomes and using various timescales for analysis. Most recently, a consensus has begun to emerge from such studies that 10–30% of jobs in the UK are highly automatable. Many new jobs will also be created. The rapid increase in the use of administrative data and more detailed information on tasks has helped improve the reliability of empirical analysis. This has reduced the reliance on untested theoretical models and there is a growing consensus about the main types of jobs that will suffer and where the growth in new jobs will appear. However, there remain large uncertainties about the likely new technologies and their precise relationship to tasks. Consequently, it is difficult to make precise predictions as to which jobs will see a fall in demand and the scale of new job creation.
The extent to which technological advances are – overall – a substitute for human workers depends on a balance of forces, including productivity growth, task creation, and capital accumulation. The number of jobs created as a result of growing demand, movement of workers to different roles, and emergence of new jobs linked to the new technological landscape all also influence the overall economic impact of automation by AI technologies.
While technology is often the catalyst for revisiting concerns about automation and work, and may play a leading role in framing public and policy debates, it is not a unique or overwhelming force. Other factors also contribute to change, including political, economic, and cultural elements.
Studies of the history of technological change demonstrate that, in the longer term, technologies contribute to increases in population-level productivity, employment, and economic wealth. But these studies also show that such population-level benefits take time to emerge, and there can be periods in the interim when parts of the population experience significant disbenefits.
Substantial evidence from historical and contem- porary studies indicates that technology-enabled changes to work tend to affect lower-paid and lower-qualified workers more than others. This suggests there are likely to be transitional effects that cause disruption for some people or places.
In recent years, technology has contributed to a form of job polarisation that has favoured higher-educated workers, while removing middle-income jobs,and increasing competition for non-routine manual labour. Concentration of market power may also inhibit labour’s income share, competition, and productivity. One of the greatest challenges raised by AI is therefore a potential widening of inequality, at least in the short term, if lower-income workers are disproportionately affected and benefits are not widely distributed.
This evidence synthesis provides a review of research evidence from across disciplines in order to inform policy debates about the interventions necessary to prepare for the future world of AI-enabled work, and to support a more nuanced discussion about the impact of AI on work. While there are a number of plausible future paths along which AI technologies may develop, using the best available evidence from across disciplines can help ensure that technology-enabled change is harnessed to help improve productivity, and that systems are put in place to ensure that any productivity dividend is shared across society.

02 October 2018

Internationalised Law Teaching

'Threats to internationalised legal education in the twenty-first century UK' by Jessica Guth and Tamara Hervey in (2018) 52(3) The Law Teacher asks
What are the prospects for internationalised legal education in the contemporary UK? Our reflections on this question were prompted by three relatively recent publications dealing with a variety of aspects of the internationalisation of legal education, as well as discussions in and outputs from “Brexit and the Law School” events in Liverpool Law School, Keele University, Strathclyde University, and Northumbria University during 2017. We argue that, although law is often assumed to be state based and jurisdiction specific, there are significant reasons to internationalise legal education but that in the current climate of Brexit, marketisation of higher education and the Solicitors Qualifying Examination such internationalisation is under threat. 
The authors comment
Why internationalise legal curricula? What are the prospects for internationalised legal education in the contemporary UK? Our reflections on this question were prompted by three relatively recent publications dealing with a variety of aspects of the internationalisation of legal education,  as well as discussions in and outputs from “Brexit and the Law School” events in Liverpool Law School, Keele University, Strathclyde University, and Northumbria University during 2017. We argue that, although law is often assumed to be state based and jurisdiction specific, there are significant reasons to internationalise legal education. Teaching of EU law has ensured that at least basic elements of Europeanisation (and thus at least a variant of internationalisation) have had a relatively secure place in UK law schools. That place is now under threat. Our concern is that, over time, Brexit is likely to lead to EU law no longer being regarded as a “core subject” in law degrees in England and Wales, and perhaps also in Scotland or Northern Ireland. This change to UK legal education will be strengthened by the forces of marketisation in higher education more generally. In England and Wales, where such marketisation has gone the furthest, its effects on internationalisation of legal education will be exacerbated by changes to legal education and training mandated by the professional bodies regulating the legal professions, and the Solicitors Regulation Authority (SRA) in particular. These changes to the broader landscape of legal education have a knock-on effect on the curriculum more generally, as well as on the make-up of our law schools, in terms of staff and students. Overall, these effects are likely to lead to a less international and internationalised legal education, when considering the UK as a whole. We expect there to be some exceptions to that general trend, which we expect to be particularly strong in the regions of England. 
We first outline possible reasons for internationalising legal education. We then consider the role of EU law teaching in contributing to that internationalisation before examining the impact that Brexit and other factors, in particular changes brought in by the SRA, might have on the teaching of EU law and internationalisation more generally. 
Law seems to be a parochial, state-based subject. Despite discussions of “law and globalisation” since at least the late 1990s, and arguably much earlier, which continue to the present day,  in mainstream legal discussions, law’s legitimacy and authority stem from the state. This is true also of public international law (at least in terms of its dominant discourses), which is understood as the law of states. Equally, private international law and comparative law are concerned with the interactions between different (implicitly state-based) legal systems, or the influences of one legal system, or aspects thereof, on another. Influences could be through legal transplants,  for instance transposing a civil or criminal code, or statute, from one system to another; or through the persuasive power of rationes across common law jurisdictions. These understandings of the state-grounded nature of law are reflected in the curricula of law schools across the world. 
Nonetheless, many law schools have sought to “internationalise” their curricula. Indeed there is a burgeoning literature on such internationalisation of legal education. Internationalised legal education is increasingly well represented particularly in the “elective” side of legal education, though it remains extremely light in the core curriculum. At least four interlocking and overlapping reasons (which are both “instrumental” and “non-instrumental”) may motivate such curriculum development: the economic, the academic, the political, and the humanistic or social, ethical and personal developmental.  
The most obvious instrumental reason is the economic. The world is interconnected, and becoming increasingly so with technological developments particularly in communications both real and virtual. As Christophe Jamin and William van Caenegem put it, globalisation drives “a universal need for people trained in international questions”.  Globalisation processes cannot but include law and legal systems. Law students therefore need an education that goes beyond domestic law, and this is understood as a need that is set to continue. Law graduates who can solve problems in many locations and across locations in culturally sensitive ways are and will continue to be attractive to (at least some) future employers.  Curricula should be “future proofed”, not “teaching to ossified professional contexts”, and that means a future within which internationalisation is valuable. s Law schools as economic actors therefore seek to situate themselves, and their students, within, rather than apart from, the rest of the world: in the sense of both the local and the global communities that their graduates will serve.  
Scholars such as Margaret Thornton and Lucinda Shannon  see a much darker instrumental side to the economic rationales behind recent internationalisation of legal curricula. For them, internationalisation in law schools is part of a marketing fiction, the idea that a law degree is a fulfilling experience,  replete with promise of interesting and engaging future careers. Actually, behind the marketing “puff”, law chools all offer essentially standardised opportunities and service of legal education. These are very much based on national curricula, driven by higher education qualifications frameworks, but above all by professional statements of the “foundations of legal knowledge”.   Instrumental legal education (especially on an “apprentice” model of professional training, but even on a “university” model  in this sense means domestic legal education. 
Academic reasons for internationalising legal education could be categorised as either instrumental or non-instrumental. Learning about what the law is represents only a very thin notion of legal education. A more substantial academic pursuit – which is at least arguably also more “useful” – moves beyond the merely descriptive towards the explanatory and analytical. If a law school seeks to help students to develop understandings of why the law is the way it is, an internationalised curriculum can help, by showing how legal systems are connected by histories (for instance, colonial histories, or legal transfers for the purposes of law reform, or borrowing of legal reasoning through the common law method). Further, comparative legal insights can help students to develop critical thinking, by demonstrating that there is more than one way to solve a particular legal problem or puzzle. This latter reason shades into the political: internationalisation can have the effect of shining a light on the ways in which a particular domestic legal system is implicitly presented as “the best” through legal education. Where carried out adeptly, raising students’ awareness of “the vastness of approaches crafted by law across the globe” prompts the kinds of critical thinking that expose such assumptions for what they are. Further, showing that “law means different things in different jurisdictions” can prompt thinking about questions of legal legitimacy, authority and power. But conversely, internationalising the content of legal curricula may actually have the opposite effect. Relatively narrow, yet politically dominant, systems or approaches may be subtly presented as “the best” among comparative material. Patterns of neo-colonialism play out in legal curricula as much as they do in higher education more generally.  
The least “instrumental” reasons for internationalising legal curricula could be described as humanistic, social, ethical, or personal developmental. Developing skills of critical thinking, a sense that there is more than the local/national, ability to use legal reasoning and argument to achieve different ends, and awareness of relations of dominance, and the roles law plays to feed those relations, all do more than equip students for future careers. These kinds of educational experiences also provoke social and personal reflection, leading to development as a socially and ethically aware human being.  
Thornton and Shannon argue implicitly that the way that the consumerised marketing of contemporary legal education operates precludes this kind of deep experiential reflective and developmental (non-instrumental) learning. Such marketing does so through a kind of double-shift. First, law school marketing seeks to distance the law school “experience” on offer from the kinds of individual development associated with education in its traditional higher education sense. Law schools downplay the actual work, the intellectual, emotional or psychological discomfort involved in studying law, constructing a law degree within “a neoliberal … shift from engagement to passivity”  in higher education generally. And second, law school marketing and the development of legal curricula on offer seek to reconnect legal education with the domestic profession, the “economic”, and a strongly instrumental rationale for law degrees.  Legal education offers placements,  experiential learning, and problem-solving/problem-based learning, all designed to persuade students that they will graduate with skills and competencies ready for the profession they seek to join. 
Historically, of course, across Europe, legal education has often been understood solely as professional training, and this was certainly so in England and Wales with its “apprentice model”. The debate about whether legal science is a “proper” subject for university study is one which echoes through the centuries. Each generation of law school academics and legal professionals plays out its own version of the discussion. In Thornton and Shannon’s account, “law school marketing is strongly correlated with the vocational aspects of legal education”, law schools are seen as a branch of the legal profession, with a commercial focus, and teaching applied “real world” skills. In Member States of the European Union, EU law is the “law of the land”, so instrumental rationales coincide with learning law that goes beyond that of the state. To a lesser extent this is also true of EEA law, and at least some of the law of the Council of Europe. For many law schools, including outside Europe, these “real world” skills include a focus on internationalised lawyering, particularly having in mind elite global law firms and emerging markets, especially in Asia. 
The phrase “real world skills” when used in this context reinforces a particular notion of the university, and of its staff and students. Far from being significant contributors to economic,  political or social life, universities and the law schools within them are constructed as a fantasy place (an “ivory tower”) where “normal life” is suspended. Their only use is to grant degree certificates showing examination requirements have been satisfied; they are not per se places of learning. The place of internationalisation in the law curriculum thus rests only on instrumental justifications: international legal education is secure only as long as (at least some of) the legal profession seeks it. Or to put it another way, the logical consequence of this line of reasoning is that – outside the context of the European Union – international legal education is only for those in demand as future elite “global lawyers”. 

Equifax breach of the Australian Consumer Law

Global credit referencing giant Equifax was cavalier about preventing and responding to a major data breach  last year- a mere 145 million or so people. With an estimated 85% market share of Australia's  consumer credit reporting market we might, naively, expect it to embody best practice and attract a higher level of regulatory scrutiny than a local minnow.

 It is in the news again, with the ACCC noting that the Federal Court, following joint submissions by Equifax and the ACCC, has ordered that Equifax Australia Information Services and Solutions Pty Ltd (Equifax's Australian arm) pay penalties totalling $3.5 million for misleading and deceptive conduct and unconscionable conduct in relation to credit report services.

The Court has ordered, by consent, that Equifax contribute $100,000 towards the ACCC’s legal costs.

The ACCC states
 Equifax admitted it breached the Australian Consumer Law (ACL) in 2016 and 2017, when its representatives made false or misleading representations to consumers during phone calls. 
Equifax told consumers that its paid credit reports were more comprehensive than free reports it had to provide under the law, when in fact they contained the same information. 
“Equifax’s conduct caused people to buy credit reporting services in situations when they did not have to. Consumers have the legal right to obtain a free credit report under the law,” ACCC Commissioner Sarah Court said. 
Equifax also admitted it told consumers they would be charged a single ‘one-off’ or ‘one-time’ payment, but failed to disclose that payments for its paid credit report packages would automatically renew unless consumers opted out. 
“We considered it unacceptable that consumers were denied the knowledge and proper opportunity to opt out of recurring charges from Equifax,” Ms Court said. 
Equifax also told consumers that the credit score provided in its paid credit reports was the same credit score used by credit providers when that was not always the case. 
In respect of three vulnerable consumers, Equifax also admitted that it acted unconscionably by using unfair sales tactics and making misleading representations during telephone calls. 
“It is appalling that Equifax used unfair sales tactics on consumers who were vulnerable,” Ms Court said. 
“Consumers have a right to receive accurate information from credit reporting companies when they seek advice or services.” 
“This result sends a strong message to businesses that making misrepresentations and acting unconscionably against consumers will not be tolerated,” Ms Court said. 
The court also ordered, by consent, that Equifax establish a consumer redress scheme which will allow affected consumers to seek refunds for a 180 day period.
The penalties ordered were based on admissions made by Equifax and joint submissions on penalty made by Equifax and the ACCC. 
Action by the ACCC was noted in March this year.

The Privacy Act 1988 (Cth) provides that consumers are entitled to access their credit reporting information for free once a year, or if they have applied for, and been refused, credit within the past 90 days, or where the request for access relates to a decision by a credit reporting body or a credit provider to correct information included in the credit report.

Aged Care Politics

'Conflicting Agendas: The Politics of Sex in Aged Care' by Alison Rahn, Tiffany Jones, Cary Bennett and Amy Lykins in (2016) 10 Elder Law Review 1-24 comments
Despite legal protections, couples in Australian residential aged care facilities experience institutional interference in their intimate and sexual relationships. Panoptic surveillance remains widespread in aged care. Little attention is given to privacy. Some residents’ doors are kept open at all times. Couples may be separated or provided with single beds only, unable to push them together. Staff frequently enter without knocking, commonly ignore ‘do not disturb signs’ and often gossip about residents. This culture has its origins in colonial institutions. Attempts at legislative reform to redress this situation have been met with mixed responses, with the most vociferous opposition coming from religious conservatives. A recurrent source of conflict is the tension between the ‘rights’ of religious and political institutions versus those of individuals. This article identifies systemic issues faced by partnered aged care residents, their historical origins, and the legislation that is designed to protect residents. Using a thematic analysis methodology, it reviews political debates in the past 40 years, in both federal Parliament and newspapers, and provides a critical analysis of recurrent themes and ideologies underpinning them. It concludes with recommendations for legislation that is consultative and ‘person-centred’ and recommends proscriptive privacy protections. Adoption of these ideas in future policy reforms has the potential to create more positive outcomes for partnered aged care residents.
 The Authors state
Sexuality in aged care environments is a fraught topic. Traditionally, aged care providers have determined moral standards and ‘acceptable’ behaviours in their facilities. However, some politicians and professionals have argued that aged care residents have the same civil rights as all citizens1 and have advocated for residents’ sexual relationships to be respected and accommodated.2 Some contend that cultural change is long overdue and will only happen if the Government legislates for providers to actively protect residents’ sexual relationships by training staff to respond appropriately and compassionately to residents’ sexual expressions.3 What prevents this from happening? xxx A review of the literature suggests entrenched cultural patterns in aged care practice have their roots in colonial institutions. This article begins by briefly reviewing current problems faced by partnered residents, followed by an historical overview of institutional aged care in Australia, tracing recurrent themes and persistent problems for couples. With this background, discussion turns to the history of attempted reforms to protect couples and the corresponding political debates in the period 1974 to 2015.

01 October 2018

Online Human Rights By Design

'Human Rights by Design: The Responsibilities of Social Media Platforms to Address Gender‐Based Violence Online' by Nicolas Suzor, Molly Dragiewicz, Bridget Harris, Rosalie Gillett, Jean Burgess and Tess Van Geelen in (2018) Policy and Internet comments
 Gender‐based violence [GBV] online is rampant, ranging from harassment of women who are public figures on social media to stalking intimate partners using purpose‐built apps. This is not an issue that can be addressed by individual states alone, nor can it be addressed satisfactorily through legal means. The normalization of misogyny and abuse online both reflects and reinforces systemic inequalities. Addressing gender‐based violence online will require the intervention of the technology companies that govern the commercial Internet to prevent and combat abuse across networks and services. We argue that international human rights instruments provide an opportunity to identify with more precision the responsibilities of telecommunications companies and digital media platforms to mitigate harm perpetrated through their networks, and ensure that the systems they create do not reproduce gendered inequality. Finally, we present initial recommendations for platforms to promote human rights and fulfill their responsibilities under the United Nations Guiding Principles on Business and Human Rights.
The authors conclude
Online gender‐based violence is increasingly recognized as a major human rights problem (Amnesty International, 2018; Lewis, Rowe, & Wiper, 2017; OHCHR, 2017; United Nations Human Rights Council, 2018). Just like the discriminatory attitudes that engender them, solutions are complex. GBV occurs on a continuum that encompasses a range of behaviors from the routine forms of normalized harassment and abuse to criminal acts. Competing rights and jurisdictional issues will require multifaceted strategies to address GBV. Government intervention alone will not be sufficient to challenge and address systemic inequality, discrimination, and abuse. Ultimately, discriminatory attitudes are produced and reproduced across communities and cultures, including on the Internet, and these are what need to change to reduce GBV.  
We suggest that the next steps in a multifaceted response to online GBV requires open discussion and debate as well as empirical research to better understand peoples’ lived experiences of online GBV. While excellent work is emerging (see e.g., Chatterjee et al., 2018; Dragiewicz et al., 2018; Freed et al., 2017, 2018; Lewis et al., 2017; Salter, 2017; Woodlock, 2017), more research is needed to understand the landscape of GBV and responses to it online. In particular, empirical research is needed in order to produce evidence to guide international efforts to modify and use Internet architecture to address GBV. Scholars can investigate the meaning and impact of GBV online as well as the behaviors and technologies involved. Research with Internet users and avoiders can help us understand the positive and negative uses of the Internet for achieving gender equality and addressing GBV. Ample research documents the gendered digital divide, but it is mostly descriptive and concerned with the percentage of populations accessing the Internet, how often, using which platforms, and to a lesser extent, for what (see e.g., UN Broadband Commission for Digital Development Working Group on Broadband and Gender, 2015). These crude measures fail to capture cultural contributing factors that are important to understand benefits and barriers to Internet use for people of all genders. 
In addition (and in parallel) to more research, more experimentation is needed to understand how telecommunications and Internet intermediaries can adopt their infrastructure, policies, procedures, and socio‐technical affordances to tackle the spectrum of GBV. This work is still in very early stages, and scholars and civil society advocates are leading the way in articulating what societies are entitled to expect from technology firms. Ongoing collaborations between tech firms and civil society have started to bear very promising fruit, but a great deal more work remains to be done. In this regard, while the aspirational principles articulated in human rights documents may seem idealistic, we see them as a key part of an ongoing set of efforts to ensure that our globally shared digital infrastructure and the multitude of communications services that build upon it are designed and deployed in a way that respects and promotes human rights. By no means will nonbinding principles be sufficient; but as Esquivel and Sweetman (2016, p. 2) argue, “international agreements have been hugely important in directing policy decisions and resource flows to social goods, acting as a rallying cry for those fighting injustice and marginalisation, and influencing the cultural and social norms which we all live by.” 
States also have an important role to play in addressing GBV online. Nation states retain primary responsibility to develop domestic laws that can effectively protect human rights, and states should take much more urgent action to address what appears to be a rapidly growing problem (Jane, 2017; UN Broadband Commission for Digital Development Working Group on Broadband and Gender, 2015). One of the key challenges for states is to ensure that the Internet intermediaries within their jurisdictions work to effectively address GBV online on their networks. This is a difficult task that will require collaborative action across business, government, and the broader community, as well as ongoing reform to telecommunications law and policy. This is also an inherently international issue, but international coordination is constrained because different countries have differing levels of commitment to human rights principles, and some have not ratified major treaties (including China, Russia, and the United States). For example, the geographic concentration of these corporations in the United States, which has not ratified key human rights treaties such as the Convention on the Elimination of all Forms of Discrimination Against Women, is an undeniable barrier to using human rights tools to address GBV. Nonetheless, even in an era of institutionalized disregard for human rights, discussion of gender equality and the elimination of GBV online provides an opportunity to discuss normative values around GBV, including in developed countries. We hope that this discourse can increasingly be used to positively influence the ongoing practices of telecommunications companies and digital media platforms.