Perspectives from industry leaders

Rise of the Individual: Privacy, Piracy, Data

Four major trends relating to the creation, storage and use of data are together creating a situation pertinent to all businesses and organisations. First, the machines by which we connect to the internet are moving. They’ve already migrated from the desktop to our hands, and now they’re moving onto the body.

Wearable computing and bio sensors through devices such as Google Glass, Nike’s Fuel and Jawbone’s UP wristbands will increase the amount of personal data we can create, access and share. Imperceptible recording devices that can video or photograph through voice commands will be commonplace in the future.

Second, the cost of creating databases and storing data is dropping while their sophistication is increasing.

Third, businesses and organisations, regardless of sector, are seeking to access their customers more directly and understand them better by using online channels, either for marketing or e-commerce or both. Improving broadband networks – fixed and mobile – as well as a growing use of customer analytics, are advancing these goals.

Finally, consumers are obliging by increasing their time spent online. They are employing online channels to seek out products and services and, in the entertainment and media context, to discover and share content.

The positive implications of these trends are obvious, the traps less so. Regulators around the world are responding to increased complaints by consumers about invasions of privacy by tightening privacy laws, especially in online environments. Content businesses too are lamenting revenues lost to piracy enabled by peer-to-peer networks and other online distribution channels.

The thread that connects these significant trends we have termed the “Rise of the Individual”. Data enables a granular view of this individual, and at the same time, the individuals’ rights to privacy are being enhanced.

This year, the Outlook has drawn together thought leaders to discuss the topics of privacy, piracy and data. The discussion was lively and illuminating. What follows is the edited transcript. The discussion was facilitated by Outlook ’s Editor, Megan Brownlow.



Jeremy Thorpe is a regulatory economist and the Managing Partner of PwC’s Canberra office. He employs economic tools and analytics to assist governments and organisations understand how resources can be most appropriately, effectively and efficiently allocated. Jeremy has a passion for assessing the economic impacts of digital media, emerging technologies and copyright issues.

Jeremy tweets at:

Samantha Yorke is the Director of Regulatory Affairs at the Interactive Advertising Bureau (IAB) Australia where she works closely with Australia’s largest online publishers on industry-wide regulatory matters. In her former role as Legal Director for Yahoo!, Samantha consulted with the Government about reforms to the Privacy Act and also helped draft the Best Practice Guideline for Online Behavioural Advertising . She is a Deputy Member of the NSW Information and Privacy Commissioner’s Office Advisory Committee.

Timothy Pilgrim is Australia’s Privacy Commissioner and has been with the Office of the Privacy Commissioner since 1998. He was involved in developing and implementing the private sector provisions of the Privacy Act 1988 (Cth) and also participated in the Australian Law Reform Commission inquiry into Australian privacy laws and practice. Timothy has helped develop a framework for international privacy regulators aimed at increasing cooperation on cross-border enforcement matters.

Simon Hackett is the founder of ISP Internode and a Director of the listed iiNet Group. Established in 1991, Internode was a one of the first movers in the broadband ADSL services market. Simon’s entrepreneurship has involved him in numerous projects over his career, including the establishment of AARNet – the IP network connecting Australia’s universities – and an internet-controlled toaster.

Simon tweets at:

Megan Brownlow is an Executive Director at PwC and Editor of the Australian Entertainment & Media Outlook . Starting her career as a radio and television journalist, Megan has over 20 years’ experience in media ranging from producing news and current affairs television to senior management roles in internet and multi-divisional media companies.

Megan tweets at:

Late last year Parliament passed the most significant changes to privacy law since the Privacy Act (‘The Act’) was created in 1988. A key tenet of the Privacy Amendment is “open and transparent management of personal information” by business and government agencies.

Commissioner, what must we do now - that we didn’t have to do before - when we collect personal information?

Timothy: The reforms to the Privacy Act introduce a range of changes that will have an impact organisations of all types: Australian Government agencies, private sector organisations and credit reporting organisations. At the moment there are information privacy principles which apply to Government agencies. A second set of privacy principles apply to private sector organisations such as banks and telecommunications organisations.

The Parliament decided there will only be one set of principles and these will be called the Australian Privacy Principles . Also, we have a modern, more organised set of provisions that will control how organisations who provide us with credit handle our financial information. And finally there are some changes for me as Privacy Commissioner about how I regulate those particular parts of the Act. I will have a new raft of enforcement powers to help organisations comply with their requirements under the Act. These are some major changes so we’re calling on organisations to start to understand what their new responsibilities will be.

Australian Privacy Principle 1 sets the scene. This principle requires organisations to tell individuals what they’re going to do with our personal information when they collect it, how they’re going to look after it and how they’re going to store it. We look to that principle to instil a sense of “privacy by design”, to encourage organisations to look at their privacy policies and practices, and ask “how do we need to modernise those?”

How will the privacy law reforms affect business’ use of direct marketing?

Timothy: The Direct Marketing Principle requires organisations to use personal information in a way that recognises the sensitivities many in the community have about receiving direct marketing. They must allow people to know what’s going to happen to their information and what rights they have to modify those uses to a way they would prefer. For example, if a person has a relationship with the organisation and would reasonably expect the organisation may use their information for direct marketing, the organisation can do so. However, if there isn’t that long-term, well-established relationship and the individual may not expect they will receive direct marketing, then the organisation needs to get their consent beforehand to allow that direct marketing to occur.

Importantly, on every occasion when they do direct market to an individual they must give them the opportunity to opt-out.

The organisation will also be required to provide that option in a simple way. In a case where an individual may not be expecting to receive direct marketing there must be a prominent sign somewhere in the marketing material or on a website to advise the person they can opt out.

Also, the organisation may be called upon to explain to the individual where they got the person’s information from. This is a new requirement. They will have to respond to the individual in a timely way and at no cost to the individual.

Your powers have increased in a number of ways, including a new ability to apply significant penalties for serious or repeated breaches of privacy. Could you describe the penalties and describe a hypothetical example where you might be tempted to apply them?

Timothy: The reforms to the Privacy Act introduce a number of new compliance activities and new powers for me as Privacy Commissioner. There’s a few that are really useful for the broader business community to know about. Up to now I have not been able to undertake a random audit – or privacy performance assessment – of a private sector organisation. The amended Act is going to allow me to do that. So organisations need to be aware that in the lead-up to the commencement of the reforms in March 2014 they need to look carefully at their systems and their processes with an eye to the fact that at some point I may want to come in and look at them myself.

Another important part is, I will have a new range of code-making powers. I’ll be able to identify say, a new technology that introduces some challenges to how personal information is going to be collected and handled. In the first instance I’ll be able to go to an industry sector or organisation and ask them whether they would like to develop a code and bring that code to me to have it approved. Once approved, that is the mechanism by which they need to protect their customers’ personal information. If an organisation or association doesn’t want to develop a code then I can develop it myself and impose it upon a number of organisations or a particular sector, thus increasing the protections around personal information handled by that particular technology.

The third area of change to my powers relate to the way I can resolve a particular investigation. At the moment most of our investigations come to us via individuals and I have a raft of powers about how I can resolve those. There is another range of investigations that I start on my own volition, without a complaint from an individual.

I’ve conducted a number of major investigations under those powers in recent times, some into some very large companies in Australia. What’s been missing however has been my ability to impose a remedy. I could find an organisation in breach of the Act but I didn’t up until recently have the ability to impose a penalty or a fine or require them to do something. The reforms to the Act give me three new avenues to do just that. The first is, I’ll be able to work with the organisation – as I try to do on all occasions – to get a conciliated outcome without resorting to formal, more punitive powers. However if I need to, I will have access to a determination-making power – similar to the one I have with individual complaints – where I can make a finding and set out a series of particular remedies that I believe the organisation should follow.

The second thing is I can now get written undertakings from the organisation. That is, I can say: “I believe you need to change your systems in a particular way and introduce new processes,” and get them to sign off on those.

The important thing there is those written undertakings will be enforceable through the courts if they’re not complied with.

Finally, I will have the ability in serious or repeated breaches to go to the courts to get a financial penalty imposed on the organisation or an individual in certain cases. To give you an idea, that amount will be in the case of an individual who has breached the Act, up to $340,000 or in the case of an organisation, up to $1.7 million. It would be up to an individual judge to decide the final penalty amount.

I’ve always said my first port of call will be a conciliated outcome wherever possible. I believe it’s important to give organisations the ability to resolve issues internally and to demonstrate that they want to protect the privacy of their customers. There are unfortunately some cases we are seeing – internationally and in Australia – where organisations haven’t taken the right steps to protect their customers’ personal information. These are becoming more obvious as we see serious data breeches occurring around the world, often as the result of malicious hacking events.

When we drill down into how these hacking events occurred, what me and my international colleagues see is that, while those businesses may have put in good security protections for their systems initially, they aren’t keeping them up to date.

PwC research shows that users are increasingly happy to share their personal data if they receive something they value in return e.g. discounts, less advertising etc. What is the panel’s view of this trend? Will consumers successfully negotiate an “exchange”?

Simon: I think their capacity to negotiate is more limited than they might understand it to be. People, especially young people, are not nearly as concerned about privacy on the internet as their older peers might be. Perhaps they’ll become more concerned in 30 years’ time when that embarrassing photograph didn’t get deleted and they’re running for parliament. It’s one of the challenges here.

Samantha: This concept of data having an intrinsic value is quite new and it will take time for all of us to really get our heads around what that means and what value we should attach to our data. Advertising-funded online services are paying very close attention to advertisers and their needs but businesses can only sell advertising if they have a popular service, so at the end of the day they need to provide a compelling service that users trust and want to use before they can then make a successful business out of advertising.

Jeremy: The word ‘trust’ is an interesting one. Things boom in popularity initially not because they’re trusted, but because it’s the thing to do.

Then after a while the concept of trust does come into it. We have seen a number of high profile changes to standard terms and conditions for some web services that sparked a lack of trust, then a backlash.

Simon: Facebook is the easy example of what you’re describing. Every now and again they’ll modify the default or the obvious versus non-obvious settings for privacy.

For example, whether your friends can see your information or whether anybody can. Facebook’s incentive is to get you to publish as much as possible because their value is in the aggregate data, not in you merely exchanging data with five of your friends. So your motivations and theirs are opposed, in terms of what should be private by default and what should be private by explicit decision.

Samantha: But doesn’t that dependency then empower the Facebook user? If they don’t disclose enough information then Facebook won’t then be able to monetise all of that data. To give the industry some credit, there’s a lot of investment going on at the moment around how to develop tools to help consumers control how their data is being collected and used to build trust, but to also help consumers feel they are empowered and they do have a say over how their data is being used.

Jeremy: This is the same problem we have in the physical world around standard form contracts. No one reads them.

They scroll down and click “I Accept”, but it doesn’t mean we understand what we have signed up to.

Timothy: We see that quite regularly in complaints that come into our office. A number of people who have signed up to various agreements, be it online or even more traditional paper based ones, find they are extraordinarily complex and hard to understand and so they go to the default decision which is to tick “Yes”. The challenge for the organisation is that, even having ticked the box, the expectation [of granting permission] hasn’t been established and the person will still complain. Then you run the risk as an organisation of ending up in an unfortunate dispute which can have a bad outcome in terms of public relations. So there’s a real onus on organisations, not just from a compliance with the law perspective, but also to maintain that trust by letting people know what they’re doing with their information in a clear and easy way.

The bottom line for me, as the Privacy Commissioner, is that we are dealing with people’s personal information and the misuse of that impacts on individuals. If we look at Facebook again, recently there’s been some research done by Cambridge University, analysing what could be determined about people when they “liked” something. They did research on 58,000 people and were able to, with 95 percent accuracy, say whether someone was African-American or Caucasian-American, with over 80 percent accuracy what their political views were or party they preferred, and with over 80 percent accuracy what the person’s sexual preference was. These are quite powerful analytics. If we look at that one example and then look at what’s happening with big data, there’s the ability to delve down into peoples’ lives quite significantly.

Samantha: And of course, as the volume of data collected increases and the underlying technology becomes more advanced, the more challenging it becomes for businesses to be able to clearly and easily articulate how that data is being collected and to what use it’s going to be put.

The issues of privacy and piracy are intertwined, as some suggested curbs for piracy, such as shaping content from peer-to-peer sites, have privacy implications. How should we balance the individual’s right to privacy online and dealing with grey areas of online activity such as illegally sharing copyrighted material?

Simon: There’s a great tendency amongst content owners and governments to consider ISPs a soft target that can be used to fix an economic problem resulting from changes in the content industry. Peer-to-peer shaping is not related to piracy, it’s related to cost control. The case between iiNet and AFACT pretty comprehensively established that it wasn’t okay to use an ISP as a soft target to fix an industry whose content model is broken.

Jeremy: You might actually call the content industries on some of their claims as to the costs of piracy. If the costs are as large as the content industries are claiming, you would think there is some benefit for them in supporting the ISPs financially to solve the problem.

Simon: Some of the claims of what piracy costs are actually if all of the people who downloaded illegally had paid for the content at retail. Like it or not, the reality is that a very large fraction of them wouldn’t have done so in the first place.

Jeremy: In fact the content industries would make a saving because they don’t physically produce the pirated work. There’s a focus on loss of revenue when in fact the focus should more appropriately be on loss of profit.

What is the panel’s view of the most appropriate or effective responses to piracy – regulatory or otherwise?

Jeremy: There’s not a single answer to solving piracy. Part of it is the industry itself learning to adjust its business model, getting the windows of release right.

Books have a different issue, music has a different issue again. I think the attraction of the ISP as the solution is, it’s seen as a one stop shop. In fact, they all need to adjust differently depending on the markets, the territories and the products.

Simon: Right. The birth of the internet has allowed digital content’s distribution cost to drop to almost zero. That’s revolutionary in good ways and revolutionary in really bad ways. It’s changed the whole environment and content producers take a long time to get with that change. The [legitimate] distributors of content e.g. Netflix and Apple are the ones transforming Hollywood’s notion of how content works. Surprise, surprise, now they are actually starting to make money selling content that way. That’s really the fix to piracy.

Jeremy: So I turned on Apple TV the other day and there was Argo . In the old world, I would have waited months to actually get the most recent Oscar award winner.

Simon: But that is the point. Hollywood’s finally blinked and shortened the [theatrical] release of the film to the point where you can legally buy the content you want in Australia at a reasonable price. That’s been not true for most of the last 20 years.

Jeremy: One of the real changes caused by the internet is the changing expectations of the consumer, you can have it now. So if the industry responds to the consumer, that’s how we’re going to go forward.

Samantha: Education plays a critical role here because many law abiding citizens buying bootleg DVDs in Bali or downloading the latest releases from a peer-to-peer network often don’t realise what they’re doing is illegal. Those that do, don’t see the harm, they feel their actions are justified because they see big wealthy film distributors, production companies and actors making a lot of money. Regulation in the past hasn’t been a great shifter of behaviour amongst the consumer. Certainly prosecuting consumers is not the answer.

But coming back to the point around the intertwining of piracy and privacy, nobody would dispute that people doing illegal things should be held to different disclosure standards by law enforcement agencies. It’s challenging when there’s a suspicion of guilt and a law enforcement agency comes to a company and asks for personal information to be disclosed, and the company doesn’t have a clue about the degree to which those suspicions are reasonable. Businesses generally have a very pro-consumer and pro-user policy around this because they have an existing relationship with users where they have agreed not to disclose their information without strong legal grounds for doing so. So there’s a balancing act there.

Content owners innovate regularly but are now using data in more sophisticated ways to develop and refine their offerings. How important will data analytics be to the entertainment and media businesses of the future?

Jeremy: Because we don’t have settled business models in so many areas it’s fundamental to understand what consumers are doing. To be successful at the end of the day there has to be an analytic driven response.

Simon: Content owners can absolutely learn from the wisdom of the crowd. Hollywood studies actually monitor downloads of their content on peer-to-peer networks to understand what’s popular and in which countries. This is a real opportunity for people producing content to tune-in in almost real time to what its market actually thinks about it. There’s opportunity here.

Jeremy: Going beyond distribution, there’s also what content should be created. Analytic models using the crowd data to determine... Do I have two vampires or one?

Megan: We know a distributor who changes release windows according to genre. Sci-Fi and action are the genres with the shortest windows because they are the most likely to be pirated.

Simon: Because Sci-Fi and action movies are strongly associated with geeks. Geeks have the latest technology, with the fastest, whizziest connections at home.

Megan: We’ve seen the music industry go through this haven’t we? This year they’re back into positive revenue for the first time in 10 years.

Simon: And the music industry was bludgeoned into action by Steve Jobs, who famously said in one of his remarkable addresses, “If you’re downloading music illegally, you’re working below minimum wage.” And he said that to drive the music industry into selling tracks for a buck each, a number they previously were not prepared to countenance. But he was right and it comes back to the point that if someone is prepared to work below minimum wage to download this stuff, you were never going to sell it to them in the first place; they’re not your customer. Your customer is a time-poor person, prepared to pay a reasonable amount of money, ‘internet reasonable’ amount of money, to get what they want.

And the music industry is the leading edge indicator that if you make that model work you can make a lot of money, make a lot of happy people.

Jeremy: The music industry’s equally evolved, where they’re now supplementing their income through live performances, other broadcast rights etc. So selling cheaply is not the only answer.

Simon: Right. We’ve had some success in our company of late of negotiating with live events that we’re sponsoring, we are filming those. At the WOMADelaide concert in Adelaide we filmed a number of artists in high definition, whacked it up on the internet for free for anyone to watch, with the explicit agreement of the artist. This was a negotiated rights arrangement with them. Why? Because it brings more people to their concerts. They saw those live recordings as gorgeous high quality ads. How about that for an interesting model?

Jeremy: But it’s an integrated model. The radio industry has traditionally argued that by broadcasting music, they’re just advertising for the record industry.

But really they broadcast to generate their revenue and anything else is accidental. Now we’re seeing more sophistication – recording, live performance, broadcasting – there’s an understanding of the relatedness and the advertising they all provide for each other.

Simon: It’s a consequence of this dramatic shift in the cost of distribution. If it’s damn near free to let people watch high definition copies of your live recordings, they become viable as low cost advertisements to see the real thing. You’re right, it’s an ecosystem.

Internet philosopher Seth Godin says, “it’s increasingly hard to function in our society off the grid, [i.e. not being connected to the internet] so we should support the use of data as a feature, not a tax.” Do you agree and if so, what features of life could be enhanced by better use of our data?

Jeremy: We’re still behind compared to many jurisdictions around the concept of government and open data, de-identified for privacy. If we make data available it empowers people to do interesting things with it which will be socially useful. We see it in spasms by government. There’s a sudden enthusiasm, but then other times they don’t want to share certain information because it may actually point to bad performance. I think in this space you have to take the good with the bad and let people play with it and extract value.

Samantha: There is so much content on the internet now, you could literally spend all day, every day trying to find the content you’re interested in seeing. The collection of data will tailor that experience to what you’re interested in and will make navigating the web much easier and more efficient in the future.

Simon: Google is a great exemplar of this. Just lately they have been campaigning quietly; when you go to their website, up pops a message about the merits of logging in before you do a search. The reason is they gain data about your habits.

That’s got a potential negative side but it’s got the massive positive side you mentioned, that you can personalise the web to suit you. And as Jeremy mentioned, there’s the potential for people to have access to government data and to discover genuinely useful new things that might actually empower our society through their own analysis, that no one in government thought to do. That’s very exciting.

Timothy: Our office is responsible for the Freedom of Information Act at the Commonwealth level, and its premise is that government information should be a national resource. This is not a new concept but it is taking a while to embed into government and into the bureaucracy. We’ve set principles for government agencies to follow, to assist them in doing that. We’ve prescribed types of information, that we think should be regularly available through government websites, to try and facilitate a greater use of that information.

A “petabyte” is one quadrillion bytes, or the equivalent of 20 million filing cabinets worth of text. Every hour Wal-Mart collects 2.5 petabytes of customer data. What are the major challenges we’ll face over the next five years as a result of this growing data tsunami?

Simon: Because you’re collecting so much data and because the cost of storing the data is plummeting, no one has the time or inclination to delete any of it, so it’s all going to hang around. In the taxation world, after seven years you know you can throw the stuff away. In the internet, there’s no seven year rule so it’s going to come back to benefit us or to haunt us in 30 years’ time.

Timothy: There’s no seven year rule, I agree, but there is a requirement under the Australian Privacy Act to delete information you no longer require.

Let me use an example of a case we saw, where a very major international online company was hacked and one of the areas the hackers got into was a server that the organisation didn’t even realise was ‘live’. They found millions of records of customers and their credit card numbers, that the organisation had lost complete track of.

Simon: In my view, there are two categories of outcome. Commercial organisations collecting data in order to provide you with goods or services have one set of incentives. They collect that data for pragmatic reasons related to charging you money and sending you stuff. Then you have got these enormous social media organisations who collect personal data because the personal data is actually the product. So they’ve got an incentive to hold onto everything. Let’s say you’re a social media global powerhouse and you’ve collected masses of de-identified information about people which may have incredible commercial value because you understand consumer trends in a country. Saying to them “delete the stuff you don’t need” is a bit difficult when they need all of it.

Samantha: There should be a focus on what data we really need in order for our business to be successful and to provide a compelling service to our users.

Timothy: The Privacy Act recognises that and says that an organisation needs to either delete or permanently de-identify. There’s a lot of valuable data an organisation could keep about their customers without having to keep identifiable information.

Jeremy: Let me throw a challenge out there. We know that the Googles and the Facebooks of the world know how to use data and extract value. The challenge for many companies, and particularly Australian companies is, there’s a lot of data, how do they actually find value in this? Companies struggle now to capture and use efficiently the data they’ve got. The problem is only going to get worse. I actually see the haves and have nots becoming exacerbated in this digital space, that is, if you’ve got the skills and the scale, you can extract the value but it’ll be a harder slog for many smaller organisations.

So even though we think of the internet as bringing everyone into a more competitive frame, the value of data actually may see that separating.

What should Australian organisations be doing to manage the changes in privacy law, piracy activity and the growth in data?

Simon: There’s an onus on companies working in the digital sea to spend time understanding the space – it isn’t as simple as turning on your website and selling those shoes. While it might not initially seem a good investment of time, slowing down to understand the privacy matters, to understand that data needs to be protected, is a very good long-term insurance against your business being threatened badly, perhaps being pushed into un-viability over-night. Trying to get people’s attention long enough is a real challenge, it’s an educative challenge.

I think we’ve all got to work on it in the industry to try and help our customers who are often engaging in commerce on the internet to understand how to do that.

Jeremy: Thinking particularly about piracy and the use of data, I think companies need to make the switch from using the data in a historical sense to using the data in a forward looking sense. That’s an important change because it allows you to then understand how and why people are pirating your materials and take steps to go forward. Even if you’re not thinking about piracy, you’re just looking at customer data, taking that step from ‘what my customers might do’ to ‘what will my customers do’, data allows us increasingly to do that.

Samantha: It’s important for businesses to identify what types of data they have and where that data sits on the regulatory landscape. Is it personal information which is subject to the Privacy Act , is it de-identified information, is it anonymous information or aggregated information, or is it analytical research data?

For information subject to the Privacy Act , that’s fairly straight forward, have a compliance program in place. For data that sits outside of the Privacy Act scope, there’s a real opportunity for businesses to develop self-regulatory frameworks to help demonstrate accountability and build trust with their users. And then finally I think it’s important to get involved with industry, exchange information and best practices because most businesses are facing the same challenges and asking a lot of the same questions.

Timothy: I think this is a perfect time for Australian organisations to take stock of what they’re holding, in terms of personal information. We have a period now until the commencement of the reforms in March 2014 when a whole new raft of responsibilities on organisations will be imposed. Organisations are going to have to re-visit their systems, their processes, their policies, and their staff training, to make sure it’s compliant. So why not also ask why are we collecting certain types of information? Do we need to do it?

And if we do, have we got the right security systems in place to be able to protect that information? If it goes terribly wrong, they’ll lose trust, reputation and their customers and that’ll impact on the bottom line.

Megan: Thank you for your time.