Reading time: 7 minutes

It is often said that data is the oil of the 21st century. Nearly every online business collects data from website visitors and customers. Even brick and mortar stores have skin in the data game with the advent of in-store loyalty cards. Many businesses input these large data sets into machine learning algorithms that can train themselves to make more and more accurate predictions. You may have implemented a machine learning algorithm within your own business to:

  • determine your customer’s preferences for products on your online store;
  • verify customers’ identity; or
  • determine customers’ potential maximum credit limit. 

If you collect personal information and use it as part of a machine learning algorithm, it is important to understand your legal obligations. This article looks at an overview of the general legal framework in Australia. It also looks at additional laws (including the EU GDPR and UK GDPR) that can apply to Australian businesses, depending on their activities. 

What Are the Laws Relating to Machine Learning Algorithms in Australia?

In Australia, decisions that impact an individual that are based on automated processes (including machine learning algorithms) are referred to as ‘automated decision making’.

Data Collection and Use

In Australia, there are few specific laws that directly deal with how a machine learning algorithm operates. One example is the laws regulating autonomous vehicles. However, suppose your machine learning algorithm uses personal information to make automated decisions. In that case, you must ensure that your data collection and usage practices are in accordance with Australian privacy laws. 

The Commonwealth Privacy Act 1988 is the key piece of legislation regulating data collection and use in Australia. Importantly, the Privacy Act does not apply to all businesses in Australia, but it does apply to all Australian businesses:

  • with an annual turnover of more than $3 million AUD;
  • that provide a health service;
  • that trade in personal information; or 
  • that have a contract with the Commonwealth Government.  

The Privacy Act contains 13 Australian Privacy Principles (APPs) that govern data collection, processing and disclosure. Therefore, you should speak to a privacy lawyer to understand whether the Privacy Act applies to your business.

Personal Information

Under the Privacy Act, personal information means ‘information or an opinion about an identified (or reasonably identifiable) individual, whether true or not, and whether or not it exists in a material form’. 

Personal information is a broad concept and includes information that relates to your customer’s: 

  • preferences; 
  • location; 
  • age; and 
  • contact details. 

Personal information does not include de-identified information. For example, this could be a mass collection of all the countries that your website visitors are from, as long as the location information is not tied to an actual individual and is only in an aggregated format. 

If the Privacy Act applies to your business, and you use personal information in machine learning algorithms, then some of the key aspects of the law to be aware of include that you: 

  • need to make sure that you are open and transparent in relation to your management of personal information;
  • must only collect personal information that is reasonably necessary for your functions or activities; and
  • need to provide notice to individuals about how you handle their personal information when you collect it.

You can do this through your privacy policy and privacy collection notices. 

Businesses that are covered by the Privacy Act are also required to conduct a privacy impact assessment for ‘high privacy risk’ projects. Further, the Commonwealth Ombudsman has flagged that automated decision-making processes (including machine learning algorithms) that use personal information would likely require a privacy impact assessment. 

European Union General Data Protection Regulation and United Kingdom General Data Protection Regulation

Most countries have their own legal framework for regulating the collection, use and disclosure of personal information. However, two other important laws that are worth considering for Australian businesses are the: 

  • European Union General Data Protection Regulation (EU GDPR); and
  • United Kingdom General Data Protection Regulation (UK GDPR), which is the UK equivalent. 

The EU GDPR applies to businesses that are in the EU, offer goods and services to EU-based individuals, or monitor EU-based individuals’ behaviour. The UK GDPR has a similar scope of application but in relation to UK-based individuals. Therefore, this means that the EU GDPR or UK GDPR can apply to Australian businesses in some circumstances. 

If the EU GDPR or the UK GDPR applies to you, you need to make sure you consider additional laws that relate to machine learning algorithms that operate on the basis of personal information. 

For example, under the EU GDPR, the default position is that a person should have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that person or significantly affects that person. There are scenarios where you can use automated processing. However, often individuals must have the right to obtain human intervention or contest the decision made about them. This is just a broad overview of the legal position. You should speak to a lawyer that is qualified in EU or UK GDPR. They will help you to understand the legal requirements that may apply to you. 

Independent Standards

Individuals can suffer harm when machine learning algorithms do not operate as intended. This includes where they are trained on incomplete or inaccurate data. For example, Amazon’s resume-reviewing AI was dropped in 2018 after it was found to have taught itself to discriminate against female job applicants. 

Notably, in Australia, one in five people who received debt collection notices under Centrelink’s automated welfare debt collection program, actually had no welfare debt at all! For this reason, many have called for greater regulation and oversight of machine learning algorithms. 

There are a number of voluntary, independent standards that have been developed to help standardise machine learning and AI algorithms. For example, the international standard ISO/IEC JTC 1/SC 42. 

Key Takeaways

If you use machine learning algorithms that use personal information within your business and the Privacy Act applies to your business, you need to make sure that your data collection practices are in accordance with the APPs as set out by law. This includes having up to date and prominent privacy policies and collection notices. If you are currently not compliant with the EU GDPR or the UK GDPR and intend on trading in those regions, you will need to comply with additional laws that specifically address automated decision making. For assistance in understanding the data collection requirements that may apply to your machine learning algorithm, as well as assistance developing a privacy policy and collection notice, contact LegalVision’s technology and privacy lawyers on 1300 544 755 or fill out the form on this page. 

Frequently Asked Questions

What is a machine learning algorithm? 

It is an algorithm that uses large data sets to develop models and make predictions. Examples of machine learning algorithms in your business may include those used to determine your customer’s preferences for products on your online store, verify their identity or determine their potential maximum credit limit. 

Which businesses does the privacy act apply to?

It does not apply to all businesses in Australia. However, it does apply to all Australian businesses with an annual turnover of more than $3 million AUD, that provide a health service, that trade in personal information or that have a contract with the Commonwealth Government.  

What is the EU and UK GDPR?

These are the European Union General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR). The EU GDPR applies to businesses that are established in the EU, offer goods and services to EU-based individuals, or monitor EU-based individuals’ behaviour. The UK GDPR has a similar scope of application but in relation to UK-based individuals.

Webinars

Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Online
Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer