Australia’s peak non-government privacy advocacy and advisory body has issued an urgent call for an immediate review of the extent of corporate and government data hoarding in Australia, warning that existing laws and penalties have proven ineffective in the wake of the massive Optus data breach.
The Australian Privacy Foundation (APF) says that people affected by data breaches must be told of their exposures immediately “wherever there is a critical data breach and the provision of clear instructions on steps to take to mitigate potential harms.”
The non-partisan group has been warning for years that allowing organisations to amass vast piles of personal information, essentially for the sake of it, was never going to end well and is now calling on the government to finally beef-up regulators like the Office of the Australian Information Commissioner.
The APF may yet have some success, with lawyers and consumer groups now assessing the feasibility of a class action against Optus and other organisations whose customer data gets exfiltrated onto the dark web.
What’s materially changed in the debate is that both governments and individuals are no longer prepared to cover the financial cost of identity document reissuance after a breach, with the bill being shifted back to the party from which the data is leached.
Both state and federal jurisdictions have told Optus they expect the telco to cover the bulk of identity-remediation costs because they essentially cannot charge consumers for document number rollovers beyond their control.
“According to Deloitte Australia’s Privacy Index 2022, the telecommunication industry is one of the least trusted by consumers for protecting their online information,” the Privacy Foundation said.
The group has also called for an “immediate review of statutory data-retention obligations in Australia, particularly those applicable to telecommunications providers, to confirm the necessity and proportionality of those requirements.”
The heavy hitter Privacy Foundation’s laundry list of urgent reforms is already underway, namely the removal of archaic legal shields and carve-outs for organisations proven to be sloppy with data security and holdings.
The carve-outs, and there are many, were largely extracted by business and industry groups as a concession to deter speculative litigation; however, the extent of the Optus breach has turned what was once a theoretical concern into a kitchen table liability.
“Appropriate reforms to the Privacy Act in the current Privacy Act Review [include] the introduction of a data minimisation principle, a right to erasure, and a right to sue for damages for breach of the Privacy Act so that individuals in Australia who suffer a data breach can individually and collectively advance their claims in court,” the Privacy Foundation said.
The right to sue over the mishandling of data, sloppy data security and just plain misuse has already been seared into the consciousness of the public sector via the successful class action against Services Australia and its infamous and illegal robodebt scheme, which is now the subject of a royal commission.
While government agencies are almost entirely exempted from privacy controls for the purposes of revenue protection, the robodebt case and royal commission still ultimately centre on how defective data collected on individuals was put to harmful use by the government and public servants.
The two data-centric incidents have now essentially been combined to create a defacto ‘do no harm’ baseline for data collection and use that will soon be put through its legal paces.
Australian information commissioner Angelene Falk this week flagged she would be seeking to broaden powers and penalties available to her agency to mitigate against the possibility and further harms that would stem from another incident like the Optus hack.
Any feedback or news tips? Here’s where to contact the relevant team.