51³Ō¹Ļapp

Media contact

Victoria Ticha
+61 2 9065 1744
v.ticha@unsw.edu.au

The increasing use of Artificial Intelligence (AI) and new surveillance technologies have . In Australia, the number of , particularly in the finance and healthcare sectors, has risen over the last few years. Information mishandling, opaque, excessive and pervasive surveillance, and the increasing use of facial recognition and other biometrics are just some of the latest developments causing concern.

As a result, Australians are worried about protecting the privacy of their data and have becomeĀ  of the activities of businesses that collect, handle and share revealing information about their activities, interests and preferences.Ā 

With the over the last few years and , concerned consumers and regulators have forced businesses to undertake expensive rearchitecting of their data systems, data handling processes, and data project governance and assurance.

But many business models and data architectures were not designed to be private and secure by design and default, said Peter Leonard, Professor of Practice for the School of Information Systems & Technology Management and the School of Management & Governance at UNSW Business School.

Another reason businesses have struggled with privacy issues is that it has taken the Australian government over two decades into the 21st century to start a serious discussion about making the Australian Privacy Act fit for purpose, said Prof. Leonard.

Peter Leonard

It has taken the Australian government over two decades to start a serious discussion about data, AI and making the Australian Privacy Act fit for purpose, says UNSW Business School's Peter Leonard. Photo: Supplied.

How does AI affect your privacy?

The most difficult area to address in AI and data privacy is the issue of data profiling. For example, insurers couldĀ use AI for profiling to avoid taking on high-risk clients, undermining the pooling of risk that enables premiums to be affordable across a broad base of insured persons, said Prof. Leonard.Ā Data privacy, consumer protection, and insurance sector-specific laws do not address profiling-enabled targeting and thereby ensure consumers are treated equitably.Ā Ā 

ā€œMany of the concerns around AI, for example, are about the use of profiling to differentiate in treatment of individuals, either singly (fully ā€˜individuatedā€™) or as members of a segment inferred to have common attributes. There may be illegal discrimination (intentional or accidental) against individuals that have protected attributes (such as race, religion, gender orientation).

ā€œMore often, differentiation between individuals is not illegal but may be regarded as unfair, unreasonably or simply unexpected. AI enables targeted differentiation to be automated, cost-effective and increasingly granular and valuable for businessesā€, said Prof. Leonard.

ā€œThen thereā€™s a raft of other issues around nurturing, or at least not eroding, digital trust of persons with whom a business deals, and about how you use data about individuals without them feeling that youā€™re being ā€˜spookyā€™, or otherwise unreasonable, in the data that youā€™re collecting.ā€Ā 

Two AI data programmers working on computers

Without adequate AI regulation and data privacy laws and guidance, businesses are having to fill in the gaps. Photo: Shutterstock.

How can businesses protect usersā€™ data?

It is no longer good enough to simply comply with current data privacy law, said Prof. Leonard. Trust and privacy concerns go hand in hand, but without adequate laws and guidance, businesses must fill in the gaps.

ā€œYou have to start to guess where the law may go and fill gaps in the law in thinking about what is a responsible way to act or an ethical way to act.Ā This is difficult for businesses to do and will require them to consult a broader range of stakeholders, including experts who can think about corporate social responsibility and ethics in the digital age.ā€Ā 

While it is clear that Australiaā€™s privacy laws need reform to address modern problems in an increasingly digital world, reform is complex and contested, especially given that data privacy is inherently multifaceted and complex, explained Prof. Leonard.

Prof. Leonard recently published a design manifesto for an Australian Privacy Act ā€œfit for purpose in the 21st centuryā€. The paper was one of lodged with the Australian Attorney-Generalā€™s Department in response to the AGD Discussion Paper on .

Prof. Leonard has put forward several recommendations surrounding reform of data privacy law, focusing on proposals for reform of the Australian federal Privacy Act 1988 (Cā€™th) (Australian Privacy Act) and comparable State and Territory data privacy and health information statutes.

See also:

ā€œMany of the issues are actually issues around data governance, how you make this, how management make decisions about how data is used, and how you architect your data holdings so that you can make the right decisions, have the right controls and safeguards in place to do all of this, without creating business models that are going to blow up in your face,ā€ said Prof. Leonard.

ā€œThe laws are important, but the law, in my experience, is usually less than a third of the issue that Iā€™m addressing when Iā€™m advising businesses around advanced data analytics and AI.ā€Ā 

ā€œProper understanding of the limitations of the AI requires considerations of explainability and understanding of humans as to the limitations of the AI or the algorithm.ā€

Going forward, he urged businesses to consider whether crucial decisions might undermine usersā€™ trust and whether their business models are sustainable for the long-term, given laws are responding to concerns of consumer advocates and citizens around these new uses of data at an ever-changing pace.

ā€œMore often than not, the issue isnā€™t the AI, or the algorithm itself, but rather the over-reliance, the overuse of it, in a range of circumstancesā€¦ where it was inappropriate to use it,ā€ he said, citing the as a perfect illustration of this.

ā€œThe issues to be addressed are not black and white issues of can I, canā€™t I? Instead, theyā€™re much more complex issues around what should a responsible organisation do, or not do?ā€ he said.

Rob Nicholls

AI and data regulation needs a coherent joined-up policy approach to address the growing privacy debate, says UNSW Business School's Rob Nicholls. Photo: Supplied.

Human decisions are crucial in an AI-driven world

Agreeing with the recommendations put forward by Prof. Leonard, Rob Nicholls, Associate Professor in Regulation and Governance at UNSW Business School, said one of the fundamental ways humans can avoid potential issues with automation is to ensure that when using AI, its intention is that of a tool to supportĀ making decisions, but not as a tool to make decisions.

ā€œOne of the critical things, particularly in the governmentā€™s or regulatorā€™s use of AI, is that it needs to be a decision support tool, but the decision is a human decision,ā€ he said.

While Australiaā€™s current privacy laws are inadequate for the problems faced by businesses and consumers in the modern world, more laws arenā€™t necessarily the answer. Instead, itā€™s fundamentally more important to consider how data uses can adversely affect humans or be socially beneficial, said A/Prof. Nicholls.

ā€œBusinesses must think about: What are you using this for, is it in support of a decision? Why is that important? Because itā€™s still a CEOā€™s head on the lineā€¦ the decision is made by a person. Itā€™s a decision support tool, not pure automation. And I think itā€™s imperative to distinguish between the two. And where the biggest risk in business comes is when you havenā€™t drawn that distinction,ā€ he said.

ā€œAI regulation needs joined-up policy,ā€ said A/Prof. Nicholls. ā€œWe need to be able to address data protection and privacy protection concurrently. That is a coherent policy approach across all these issues. Being able to walk and chew gum at the same time is critical and, sadly, very absent.ā€Ā 

The original version of this story was published as ā€˜ā€™ on .