Australia: Big Data, big issues? Is Australian privacy law keeping up?

Privacy Update (Australia)
Last Updated: 27 July 2013
Article by Alec Christie and Reyhaneh Saadati

Big Data has been dubbed by many as the "new economic asset" of our age and of potentially significant value to business.

Following the recent amendments to the Privacy Act and in anticipation of his new powers from 12 March 2014, the Australian Privacy Commissioner Timothy Pilgrim (Commissioner) advised Australians earlier this year that "2013 is shaping up to be the biggest year for privacy in over 20 years".1

Even though the recent amendments to the Privacy Act and the new Australian Privacy Principles (APPs) do not specifically address the Big Data technology/regulation gap, discussions by and between business, individuals, the media and even the Commissioner about Big Data have recently sparked up.


Big Data is the tracking and aggregation of a large volume of data (including personal information) from search engine histories, emails, sales transaction histories, reward/loyalty programs, app downloads and the like.

The aggregation, tracking and analysis of large volumes of data across such a range of variables is of considerable value to business, allowing business to gain insight into its consumers and the market, making it more responsive, increasing efficiency and encouraging new offerings for "new" markets. As well as using their own data, businesses are also finding more and more ways of combining their data with that of third parties (as well as publically available information) in order to analyse more variables and to "slice and dice" the data in more and more ways.


Analysis of Big Data can be (and is) used to reduce fraud, map disease outbreaks, further scientific research, improve business processes and assist in creating new innovative and wanted products.2 However, there is also a perceived "dark side" to Big Data, especially where such is considered to be an interference with privacy (whether we know it or not).

The extensive amounts of personal information we reveal as we transact online has taken the relationship between customer profiling, predicting trends and marketing to a whole other level. Big Data is capable of tracking movements, behaviours, preferences and predicting the behaviour of individuals with unprecedented accuracy. The more access business has to Big Data the better they can target us with advertising and products that match (or rather predict) our specific interests. This is, however, often done without our consent.


In a speech given in April 2012 the Commissioner referred to an article by journalist Aleks Krotoski3 which reported the purchase of the social media start-up Social Calendar4 by US chain store Walmart. In the article Krotoski points out that, when users of Social Calendar listed friends' birthdays or their holiday details, users would have had no idea that the information they included in Social Calendar would end up in the hands of Walmart. This purchase effectively means that Walmart will, subject to applicable law, be able to cross reference the data from Social Calendar users with its own data to generate profiles of users and their friends (and significant events/celebrations in their lives) for direct marketing opportunities.5

Perhaps the most dramatic example of the use of Big Data occurred early last year when Target's analysis of Big Data worked out that a teen girl was pregnant (before her father knew), but did not flag that she was a teen, and sent her direct marketing for baby and maternity products. This incensed the girl's father – was Target trying to encourage his teen daughter to fall pregnant? Of course, Target chose not to analyse the Big Data to determine whether this person was over 18 before sending her this marketing. However, Target's chosen analysis of its Big Data was able to determine that she was pregnant (and therefore a potential customer). By tracking and analysing her spending habits (not just at Target) Target was able to determine (a) she was expecting a baby and (b) how far along with the pregnancy she was, with unsettling accuracy.

Examples such as these make it increasingly clear that there is a gap between what can be done with Big Data and what is currently regulated/what we as consumers are ready for.


Outside of privacy and spam, Australian law does not currently regulate Big Data. The Privacy Act regulates the collection, use and disclosure of information or an opinion about an identified individual or an individual who is reasonably identifiable (Personal Information) by imposing certain mandatory notification and consent obligations on entities collecting such information. In addition, the SPAM Act prohibits the sending of electronic marketing communications without the prior "opt-in" consent of the recipient.

Identified vs de-identified information

The concepts of Personal Information, de-identified information and the applicability of the Privacy Act to Big Data appear, at first glance, simple enough. However, on further consideration, this is not straightforward in the Big Data context: can the information contained in Big Data ever truly (ie permanently) be deidentified?

Big Data has historically been used for tracking the movements and interests of groups in a de-identified form (ie such that it does not identify any individual in the group). Of course, use of de-identified information is not regulated and business is free to collect, analyse and use such data as it sees fit. However in recent years, as the power of Big Data is discovered and the associated analytical tools are developed, there has been an increasing ability to and a trend towards tracking the movements and predicting the interests of identified individuals.

Even if the data is de-identified (ie the business is seeking to track/predict the behaviours of groups rather than individuals), the current (and future) data analysis capabilities are such that aggregation of vast amounts of data and the analysis available across such a vast range of Big Data collected from multiple sources (each of which may be de-identified individually) will almost certainly enable re-identification of the individuals concerned.

Of course, as soon as the information is re-identified (or re-identifiable), the collection, use and disclosure of such will be subject to the obligations of and restrictions imposed on the use of such Personal Information under the Privacy Act.

When are mandatory notice & consent(s) required?

If Big Data held by a business includes Personal Information (including information which is reasonably capable of being re-identified), the Privacy Act requires that the relevant individuals from whom the information was collected be provided with mandatory notice regarding certain matters (such as the purpose of collection, use and the types of entities to which it is likely to be disclosed) at or before the time of collection of such information.6 Also, if any of the information to be collected is sensitive information (such as health records, criminal convictions, race, sexual preference, etc) or if Personal Information is to be used for a purpose other than the primary purpose for which it was collected then prior consent of the individual will be required.7

Business usually provides mandatory notice and obtains any necessary consent(s) through its privacy policy and processes at the time the Personal Information is first collected by the business. As part of the process individuals are often required to expressly consent to the privacy policy (including the purposes for collection and any required consents), often by clicking a button or ticking a check-box in order to proceed.

However, in the Big Data context, at the time of original collection of the information which later becomes part of Big Data, the business (even if it has collected all the relevant data itself) is often not aware of the full extent of the potential uses it may have for such Personal Information as part of any future Big Data analysis. In addition, the significant volume of non-identified information collected legitimately without notice to and, sometimes, without the knowledge of the individual (eg via dynamic IP addresses, websites cookies, mobile phone location, etc) may itself become Personal Information when used as part of Big Data, by being combined with other data and analysed in such a way that results in its identification of or connection to a specific individual.

In practice it is expensive and impractical for business to go back to individuals at a future date to re-notify and/or re-consent for the new Big Data purpose(s) or for the "new" Personal Information collected (ie when de-identified information is re-identified). As a result many potential uses of the information, to which individuals may not have objected if asked when first collected, remain "locked-up" or, worse, business will simply ignore the privacy law. Essentially, the failure of regulation to keep pace with technology and the rise and use of Big Data acts as an impediment to commercialisation and technological innovation by business or, at least, a disincentive for business to comply with the privacy law.

Where business does anticipate certain future uses of Personal Information it may need to notify customers of (or require their consent to) either very complex or vague statements in their privacy policies in an attempt to comply with the obligations under the Privacy Act. Some customers may be put off by this and simply abandon the purchase of the goods or services, particularly in the online world. Also, individuals who provide consent without actually reading the privacy policy or understanding what they are consenting to, how their information will actually be used and whose hands it may end up in may be "shocked" by use of their Personal Information as part of Big Data analysis and there may be a customer revolt against the business (even though the privacy policy of the business technically notifies such use).

A survey funded by the Australian Research Council identified that more than 60% of respondents rarely or never read website privacy policies.8 Therefore the use of Big Data for purposes not reasonably expected by customers (particularly in the marketing context), without clear and transparent notice (ie informed consent), will likely result in unfavourable customer sentiment and may significantly increase the risk of a complaint to and investigation (or regulation) by the Commissioner.

Marketing (electronic and traditional)

Under the SPAM Act business cannot send electronic marketing communications (such as emails, SMS and MMS) to individuals, even if analysis of the Big Data shows that the individual wants such marketing, without that individual's prior consent.

If the Big Data includes Personal Information (as it likely does in most Big Data circumstances), business is not able to use that Personal Information to send non-electronic (ie traditional hard copy) marketing if the recipients would not reasonably expect to receive such marketing communications.

Where consent is required to use Big Data for marketing initiatives, business is faced with the same consent issues discussed above.


Both the Privacy Act and the SPAM Act were enacted before the rise of Big Data and neither adequately addresses the concerns of individuals or provides clarification for business regarding the steps that should be taken to manage the competing interests (ie balancing the protection of an individual's privacy against the business desire to use this valuable "new economic asset" that is Big Data).

Recently there has been much debate around whether uses of Big Data should be subject to increased or specific regulation. Some commentators have suggested that the use of Big Data should be subject to limitations that cannot be circumvented, even with an individual's consent. Others suggest, more reasonably, imposing "informed consent" obligations similar to the overseas transfer consent obligation in the new APPs (ie that the consequences of consent be specifically spelt out for and notified to individuals). Alternatively, we could see a shifting of the obligation for protecting Personal Information to the business using that information in the Big Data context and a prohibition on business using customer consent to get around those obligations.9

The recent amendments to the Privacy Act do not specifically address Big Data. In fact, during the Privacy Week 2013 breakfast held in May, the Commissioner spoke of the gap between practice and regulation by stating that, when it comes to Big Data, the consent model under the Privacy Act (including the recent amendments) is under pressure. The Commissioner went on to suggest that the key to overcoming some of the issues in the Big Data space is likely to be transparency.

In light of the views expressed by the Commissioner, we believe it is likely that a guidance document will be issued by the OAIC on Big Data in the near future.


In the absence of clear regulation or guidance from the OAIC on Big Data at present, business can adopt a number of best practice steps to minimise the risks of infringing the Privacy Act/ending up being investigated by the Commissioner following a customer complaint. Specifically, business can:

  • Audit existing databases to determine what Personal Information they collect and hold, the purpose of collection and whether they are (or are likely) to track and aggregate such information for marketing purposes or purposes other than for which the information was originally collected. Knowing what you have and how you use it is the first step to compliance.
  • Examine the Big Data used and whether information that is not identified separately is "re-identifiable" by combination or through analysis and, if so, review original notices provided and consents obtained at the time of collection of that information.
  • Focus on transparency by providing continuous notification each time there is a change in practices around collection, use or disclosure of Personal Information. Such notification should clearly set out the main ways in which the new practices are likely to impact individuals. Although keeping individuals informed will not remedy the shortcomings of the Privacy Act in respect of Big Data, greater transparency
  • will (it is hoped) decrease potential customer fall-out from unexpected use of Personal Information as part of any analysis of Big Data.
  • Ensure the privacy policy is clear, concise and customer friendly. Mobile websites and apps should contain a short form privacy notice (ideally no longer than one screen shot) which is easy to locate and which must be viewed before the customer can submit any Personal Information. The short form privacy notice could contain a functional link to the full privacy policy.
  • Adopt continuous and flexible consent regimes where business wishes to use Big Data for marketing activities. For example, require customers to re-consent periodically to ensure their consent is current.
  • Consider, in certain circumstances, detangling consents relating to uses of Personal Information which are not essential to the purchase of the goods or services from the remainder of the privacy policy so that customers can choose to consent to essential and non-essential uses separately. In such cases, incentivise the consent for non-essential uses.
  • Ensure internal practices with respect to the handling of Personal Information are compliant with the recent guidance documents issued by the OAIC (including the recently issued "Guide to Information Security").10

Please do not hesitate to contact either of the authors or other members of our dedicated privacy team if we can assist with the review/audit of your current practices in respect of Big Data or if you require assistance to ensure compliance with the new privacy regime to become effective on 12 March 2014.


1With the introduction in May of a Bill introducing mandatory breach notification (although not passed), there can be no doubt of this.
2 See article entitled "MIT Profs Mull Privacy Concerns as They Parse Big Data" published in The CIO Report - The Wall Street Journal on 22 May 2013.
3Article entitled "Big Data age puts privacy in question as information becomes currency" published in 'The Guardian' on 22 April 2012.
4 A very popular calendar app on Facebook which allows users to record special events such as the birthdays, anniversaries, etc of family and friends.
5 Of course, this is subject to any consent requirements under the relevant US law.
6 Or, if it is not practicable to provide notice at this time, it can be provided as soon as possible after collection.
7 Or a purpose related to the primary purpose.
8 Survey conducted by Mark Andrejevic of the University of Queensland's Centre for Critical and Cultural studies and presented by the Commissioner in Brisbane on 26 April 2012 at the University of Queensland Privacy Seminar.
9 In submissions to Microsoft in January 2013 the OAIC indicated support for a move towards placing responsibility on data users (ie business) rather than individuals in order to ensure that the expectation of privacy is met, rather than the current approach of simply complying with black letter obligations.
10 Please refer to our Previous Update for further details.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions