It is often said that data is the oil of the 21st century. Nearly every online business collects data from website visitors and customers. Even brick and mortar stores have skin in the data game with the advent of in-store loyalty cards. Many businesses input these large data sets into machine learning algorithms that can train themselves to make more and more accurate predictions. You may have implemented a machine learning algorithm within your own business to:
- determine your customer’s preferences for products on your online store;
- verify customers’ identity; or
- determine customers’ potential maximum credit limit.
If you collect personal information and use it as part of a machine learning algorithm, it is important to understand your legal obligations. This article looks at an overview of the general legal framework in Australia. It also looks at additional laws (including the EU GDPR and UK GDPR) that can apply to Australian businesses, depending on their activities.
What Are the Laws Relating to Machine Learning Algorithms in Australia?
In Australia, decisions that impact an individual that are based on automated processes (including machine learning algorithms) are referred to as ‘automated decision making’.
Data Collection and Use
In Australia, there are few specific laws that directly deal with how a machine learning algorithm operates. One example is the laws regulating autonomous vehicles. However, suppose your machine learning algorithm uses personal information to make automated decisions. In that case, you must ensure that your data collection and usage practices are in accordance with Australian privacy laws.
The Commonwealth Privacy Act 1988 is the key piece of legislation regulating data collection and use in Australia. Importantly, the Privacy Act does not apply to all businesses in Australia, but it does apply to all Australian businesses:
- with an annual turnover of more than $3 million AUD;
- that provide a health service;
- that trade in personal information; or
- that have a contract with the Commonwealth Government.
The Privacy Act contains 13 Australian Privacy Principles (APPs) that govern data collection, processing and disclosure. Therefore, you should speak to a privacy lawyer to understand whether the Privacy Act applies to your business.
Personal Information
Under the Privacy Act, personal information means ‘information or an opinion about an identified (or reasonably identifiable) individual, whether true or not, and whether or not it exists in a material form’.
Personal information is a broad concept and includes information that relates to your customer’s:
- preferences;
- location;
- age; and
- contact details.
If the Privacy Act applies to your business, and you use personal information in machine learning algorithms, then some of the key aspects of the law to be aware of include that you:
- need to make sure that you are open and transparent in relation to your management of personal information;
- must only collect personal information that is reasonably necessary for your functions or activities; and
- need to provide notice to individuals about how you handle their personal information when you collect it.
You can do this through your privacy policy and privacy collection notices.
European Union General Data Protection Regulation and United Kingdom General Data Protection Regulation
Most countries have their own legal framework for regulating the collection, use and disclosure of personal information. However, two other important laws that are worth considering for Australian businesses are the:
- European Union General Data Protection Regulation (EU GDPR); and
- United Kingdom General Data Protection Regulation (UK GDPR), which is the UK equivalent.
The EU GDPR applies to businesses that are in the EU, offer goods and services to EU-based individuals, or monitor EU-based individuals’ behaviour. The UK GDPR has a similar scope of application but in relation to UK-based individuals. Therefore, this means that the EU GDPR or UK GDPR can apply to Australian businesses in some circumstances.
For example, under the EU GDPR, the default position is that a person should have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that person or significantly affects that person. There are scenarios where you can use automated processing. However, often individuals must have the right to obtain human intervention or contest the decision made about them. This is just a broad overview of the legal position. You should speak to a lawyer that is qualified in EU or UK GDPR. They will help you to understand the legal requirements that may apply to you.
Continue reading this article below the formIndependent Standards
Individuals can suffer harm when machine learning algorithms do not operate as intended. This includes where they are trained on incomplete or inaccurate data. For example, Amazon’s resume-reviewing AI was dropped in 2018 after it was found to have taught itself to discriminate against female job applicants.
Notably, in Australia, one in five people who received debt collection notices under Centrelink’s automated welfare debt collection program, actually had no welfare debt at all! For this reason, many have called for greater regulation and oversight of machine learning algorithms.
Key Takeaways
If you use machine learning algorithms that use personal information within your business and the Privacy Act applies to your business, you need to make sure that your data collection practices are in accordance with the APPs as set out by law. This includes having up to date and prominent privacy policies and collection notices. If you are currently not compliant with the EU GDPR or the UK GDPR and intend on trading in those regions, you will need to comply with additional laws that specifically address automated decision making.
For assistance understanding the data collection requirements that may apply to your machine learning algorithm, our experienced artificial intelligence lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
It is an algorithm that uses large data sets to develop models and make predictions. Examples of machine learning algorithms in your business may include those used to determine your customer’s preferences for products on your online store, verify their identity or determine their potential maximum credit limit.
It does not apply to all businesses in Australia. However, it does apply to all Australian businesses with an annual turnover of more than $3 million AUD, that provide a health service, that trade in personal information or that have a contract with the Commonwealth Government.
These are the European Union General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR). The EU GDPR applies to businesses that are established in the EU, offer goods and services to EU-based individuals, or monitor EU-based individuals’ behaviour. The UK GDPR has a similar scope of application but in relation to UK-based individuals.
We appreciate your feedback – your submission has been successfully received.