The Spectrums of Automated Privacy Policy Compliance
The privacy policy has a vaunted position in the operation of information privacy law. In Australia, there is a renewed focus about the appropriate role of privacy policies and whether current legal obligations under the Privacy Act 1988 (Cth) need strengthening. However, there is a lack of research about the current state of compliance in publicly available privacy policies in Australia. Previous attempts to identify states of compliance are limited and typically involve ‘privacy sweeps’. These are qualitative exercises conducted by relevant regulators and are difficult to undertake at scale. In this paper, we examine a novel automation method for ascertaining privacy policy compliance levels at scale. We combined web scraping technologies to extract data from publicly available Australian government privacy policies with natural language processing algorithms to examine potential compliance levels across three vectors: privacy complaint processes; definitions of personal information; and collection purposes. Our findings indicate that the Commonwealth privacy policies examined are constructed in different ways and have different levels of compliance with Australian Privacy Principle 1. We conclude our paper by outlining the complex spectrums of supervision, standardisation, and intervention that arise from the use of automation tools to ascertain privacy policy compliance levels at scale.