The Limits of Consent
After two years of legal arguments, it would appear that consumer consent does not override an entity’s obligations under privacy laws. Consent, it would seem, has its limits. When it comes to the collection of personal data, consent may not transform that, which is not reasonably necessary for an entity’s functions or activities, into personal data that an entity can lawfully collect.
As it turns out, – at least when it comes the NSW Information Protection Principles – consent may be entirely irrelevant when it comes to an agency’s obligation to only collect personal information which is reasonably necessary for one or more of its functions or activities. The NSW Information Protection Principles, although not the same as the Australian Privacy Principles (but broadly similar), only applies to NSW public sector agencies, statutory bodies, local council and universities.
However, should ‘reasonably necessary’ be the limit for consent to collect personal information under the Australian Privacy Principles (and specifically APP3), the implications in the age of Big Data, and the ways in which companies collect (and commercialise) data, will be profound.
In February 2018, the NSW Civil & Administrative Tribunal (NCAT) found that the design of the Opal Card system breached NSW privacy laws by over-collecting passengers’ personal information. In order to receive and use his Gold Opal Card (i.e. senior/pensioner Opal Card), Mr Waters was required (compulsorily) to register his card in his name. This not only meant that he could not use his Gold Opal Card anonymously (like most other passengers could), but that by keeping a record of his travel history data linked to his identity, his physical movements were in essence ‘tracked’.
Mr Waters launched a challenge against the collection of his travel data by Transport for NSW, arguing that Transport for NSW breached the NSW Information Protection Principle 1, which requires:
(1) A public sector agency must not collect personal information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) A public sector agency must not collect personal information by any unlawful means.
According to Transport for NSW, compulsory registration for Gold Opal Cards was required to prevent and manage cases of fraudulent use of Gold Opal Cards. That is, Transport for NSW believed that the compulsory requirement for a senior or pensioner to register a Gold Opal Card, and by extension the collection of their travel history data, was ‘reasonably necessary’ to prevent and manage fraudulent use of the Gold Opal Cards.
However, NCAT did not agree with Transport for NSW, deciding instead that the design of the Opal Card system breached IPP 1 and that the collection of the travel history data was not reasonably necessary for the purpose of preventing and managing fraudulent use of Gold Opal Cards, and therefore unlawful.
According to NCAT, “there seems little basis for the collection of the travel information for the stated purpose of enforcement/eligibility for the entitlement to the concession card.”
- Consent does not provide an exemption to IPP 1. i.e. whether an individual consents to the collection of their personal information is irrelevant to IPP 1, which is about whether or not the collection is ‘reasonably necessary’ and lawful; and
- An individual’s consent for an agency to use personal information for secondary purposes is predicated on whether an individual acts in a purely voluntary manner or merely because of a lack of choice.
NCAT recommended that Transport for NSW seek legal, privacy, IT design advice, as well as consider other equivalent systems, such as for example in Victoria, Queensland and Hong Kong, stressing that “some action must be taken…to make the system compliant.”
Transport for NSW has indicated that it plans to appeal the decision. But while we wait to see the outcome of (any) appeals, some words to the wise (entities):
If collecting customer (personal) data is not reasonably necessary for the primary purposes for which you and the consumer are transacting…rethink whether you should be collecting it at all. And at the very least, revisit your consent processes – because if the consumer has no real choice in providing consent…it is probably not consent.
If consent has its limits, it would appear that Data Minimisation is not an entirely novel concept – or unique to the GDPR.