Reading time: 7 minutes

It is often said that data is the oil of the 21st century. Nearly every online business collects data from website visitors and customers. Even brick and mortar stores have skin in the data game with the advent of in-store loyalty cards. Many businesses input these large data sets into machine learning algorithms that can train themselves to make more and more accurate predictions. You may have implemented a machine learning algorithm within your own business to:

  • determine your customer’s preferences for products on your online store;
  • verify customers’ identity; or
  • determine customers’ potential maximum credit limit. 

If you collect personal information and use it as part of a machine learning algorithm, it is important to understand your legal obligations. This article looks at an overview of the general legal framework in Australia. It also looks at additional laws (including the EU GDPR and UK GDPR) that can apply to Australian businesses, depending on their activities. 

What Are the Laws Relating to Machine Learning Algorithms in Australia?

In Australia, decisions that impact an individual that are based on automated processes (including machine learning algorithms) are referred to as ‘automated decision making’.

Data Collection and Use

In Australia, there are few specific laws that directly deal with how a machine learning algorithm operates. One example is the laws regulating autonomous vehicles. However, suppose your machine learning algorithm uses personal information to make automated decisions. In that case, you must ensure that your data collection and usage practices are in accordance with Australian privacy laws. 

The Commonwealth Privacy Act 1988 is the key piece of legislation regulating data collection and use in Australia. Importantly, the Privacy Act does not apply to all businesses in Australia, but it does apply to all Australian businesses:

  • with an annual turnover of more than $3 million AUD;
  • that provide a health service;
  • that trade in personal information; or 
  • that have a contract with the Commonwealth Government.  

The Privacy Act contains 13 Australian Privacy Principles (APPs) that govern data collection, processing and disclosure. Therefore, you should speak to a privacy lawyer to understand whether the Privacy Act applies to your business.

Personal Information

Under the Privacy Act, personal information means ‘information or an opinion about an identified (or reasonably identifiable) individual, whether true or not, and whether or not it exists in a material form’. 

Personal information is a broad concept and includes information that relates to your customer’s: 

  • preferences; 
  • location; 
  • age; and 
  • contact details. 

Personal information does not include de-identified information. For example, this could be a mass collection of all the countries that your website visitors are from, as long as the location information is not tied to an actual individual and is only in an aggregated format. 

If the Privacy Act applies to your business, and you use personal information in machine learning algorithms, then some of the key aspects of the law to be aware of include that you: 

  • need to make sure that you are open and transparent in relation to your management of personal information;
  • must only collect personal information that is reasonably necessary for your functions or activities; and
  • need to provide notice to individuals about how you handle their personal information when you collect it.

You can do this through your privacy policy and privacy collection notices. 

Businesses that are covered by the Privacy Act are also required to conduct a privacy impact assessment for ‘high privacy risk’ projects. Further, the Commonwealth Ombudsman has flagged that automated decision-making processes (including machine learning algorithms) that use personal information would likely require a privacy impact assessment. 

European Union General Data Protection Regulation and United Kingdom General Data Protection Regulation

Most countries have their own legal framework for regulating the collection, use and disclosure of personal information. However, two other important laws that are worth considering for Australian businesses are the: 

  • European Union General Data Protection Regulation (EU GDPR); and
  • United Kingdom General Data Protection Regulation (UK GDPR), which is the UK equivalent. 

The EU GDPR applies to businesses that are in the EU, offer goods and services to EU-based individuals, or monitor EU-based individuals’ behaviour. The UK GDPR has a similar scope of application but in relation to UK-based individuals. Therefore, this means that the EU GDPR or UK GDPR can apply to Australian businesses in some circumstances. 

If the EU GDPR or the UK GDPR applies to you, you need to make sure you consider additional laws that relate to machine learning algorithms that operate on the basis of personal information. 

For example, under the EU GDPR, the default position is that a person should have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that person or significantly affects that person. There are scenarios where you can use automated processing. However, often individuals must have the right to obtain human intervention or contest the decision made about them. This is just a broad overview of the legal position. You should speak to a lawyer that is qualified in EU or UK GDPR. They will help you to understand the legal requirements that may apply to you. 

Independent Standards

Individuals can suffer harm when machine learning algorithms do not operate as intended. This includes where they are trained on incomplete or inaccurate data. For example, Amazon’s resume-reviewing AI was dropped in 2018 after it was found to have taught itself to discriminate against female job applicants. 

Notably, in Australia, one in five people who received debt collection notices under Centrelink’s automated welfare debt collection program, actually had no welfare debt at all! For this reason, many have called for greater regulation and oversight of machine learning algorithms. 

There are a number of voluntary, independent standards that have been developed to help standardise machine learning and AI algorithms. For example, the international standard ISO/IEC JTC 1/SC 42. 

Key Takeaways

If you use machine learning algorithms that use personal information within your business and the Privacy Act applies to your business, you need to make sure that your data collection practices are in accordance with the APPs as set out by law. This includes having up to date and prominent privacy policies and collection notices. If you are currently not compliant with the EU GDPR or the UK GDPR and intend on trading in those regions, you will need to comply with additional laws that specifically address automated decision making. For assistance in understanding the data collection requirements that may apply to your machine learning algorithm, as well as assistance developing a privacy policy and collection notice, contact LegalVision’s technology and privacy lawyers on 1300 544 755 or fill out the form on this page. 

Frequently Asked Questions

What is a machine learning algorithm? 

It is an algorithm that uses large data sets to develop models and make predictions. Examples of machine learning algorithms in your business may include those used to determine your customer’s preferences for products on your online store, verify their identity or determine their potential maximum credit limit. 

Which businesses does the privacy act apply to?

It does not apply to all businesses in Australia. However, it does apply to all Australian businesses with an annual turnover of more than $3 million AUD, that provide a health service, that trade in personal information or that have a contract with the Commonwealth Government.  

What is the EU and UK GDPR?

These are the European Union General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR). The EU GDPR applies to businesses that are established in the EU, offer goods and services to EU-based individuals, or monitor EU-based individuals’ behaviour. The UK GDPR has a similar scope of application but in relation to UK-based individuals.

Webinars

Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

Online
If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Online
Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Online
Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Online
Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Online
Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Online
Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Online
Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

Online
As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Blythe_Dingwall
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards