Peter A Clarke

Giving Australians the right to force the removal of their personal details from company databases would help combat the growing impact of mass data theft, experts say.

Theoretically yes. But how much of a difference such a right would make is questionable.  Already under Australian Privacy Principle 12 an individual may request access to information held by an entity.  APP 12.1 states:

More than 25 million customer accounts have been exposed in just three cyber attacks involving major companies in Qantas, Optus and Medibank.

University of Queensland cyber security expert Ryan Ko says the number of Australians exposed to the risk of cybercrimes such as identity fraud or extortion is “increasing by the day”.

That is very true and despite this the level of complacency remains high and the quality of the training in proper privacy practices remains low.  Many companies say they take privacy seriously.  Many of those same companies make relatively little effort to put those words into practice.  

“There’s no way you can tell how the leaked information is going to be used,” he said.

Professor Ko says there is no end in sight to these mass data heists.

He says that is because highly-organised and opportunistic cybercriminal gangs — some of them state-backed — are well-placed to sniff out the weaknesses of most Australian companies whose “current practice and governance structures [are] not set up to be cyber-resilient”.

True.  But much of it is avoidable.  Sophisticated hackers, criminal or state based or both, are not gifted with magical powers.  Proper data security and high levels of training would minimise the risk.  Making sure third party providers are also sufficiently protected is another requirement.

This is despite Australia ranking as the world’s number one state in cyber defence, according to a Harvard University report in September 2022.

That same month, about 9.8 million Optus customers learned that hackers had accessed their sensitive data including names, birth dates, and in some cases home addresses and passport numbers.

In Queensland alone, the state government had to replace more than 178,000 driver licences.

The hackers exploited security flaws including a publicly available application programming interface.

The next month, hackers targeted Medibank with a ransomware attack, threatening to release the medical records of 9.7 million people on the dark web.

The hackers allegedly swiped an IT staffer’s sign-in credentials from his private computer, exploiting Medibank’s lack of safeguards such as multi-factor authentication, and its alleged failure to act on alerts and warnings from consultants about system weaknesses.

This is a depressingly familiar scenario.  Using stolen credentials or authorisations from prior employees which had not been cancelled is a common way of entry.  It is mostly avoidable.  More importantly having decent in depth cyber defence to detect unusual activity by persons using credentials is often missing.  

Watchdog investigations take years

The 2022 breaches exposed the details of not only current but also former customers of both Optus and Medibank.

This is a common problem.  Companies are keen to collect data.  They are less keen to purge their data bases regularly and often have poorly implemented systems to delete data from former customers.  This problem is chronic is the health industry.  GP practices commonly hold records of patients they know have left the practice or have died.  

Qantas claimed to have learned from these earlier scandals by deleting old customer data.

Claiming and actually doing are too different things.  The APPs are principles based.  Too many companies take the widest possible interpretation of those principles.  The guidances issued by the Commissioner are quite general and also capable of wide interpretation.  Hence the need to have the Federal Court consider these principles and establish precedent.  The problem is that until recently the Privacy Commissioner was a timid litigator.  

But last month it suffered an attack via its call centre in the Philippines, which exposed details of 5.7 million current Frequent Flyer customers.

More than a million people came to learn these included their addresses, reportedly including a federal MP who criticised Qantas for not being “upfront about the extent of personal details accessed at the start”.

The airline yesterday said it had found no evidence yet of stolen data being released but was “actively monitoring”.

It took out an interim injunction in the New South Wales Supreme Court to “prevent the stolen data from being accessed, viewed, released, used, transmitted or published by anyone”.

Corporate accountability in Australia — and the prospect of people being compensated for harm by sharing in penalties on corporations that fail to protect their sensitive data — can be a long time coming.

It has not arrived yet.  As stated previously there is an air of complacency borne out of an absence of effective regulation.  It is not too much of a stretch to describe it as an atmosphere of impunity.  No doubt companies are concerned about the poor publicity, reputational damage and the cost of a data breach which can extend to class action litigation.  That has not shaken the accepted mantra that “it happens to everyone” and “there is nothing to stop it”.  Which is nonsense.  

The federal government watchdog, the Office of the Australian Information Commissioner (OAIC) is still investigating the Optus breach almost three years on.

That is a valid criticism.  The delays are very long.  Complaints that lead to determinations take 2 – 3 years.  And are handed down with little publicity so the market has no real understanding of what is acceptable or not.  The  process is unacceptably long.  Compared to the FTC in the United States and some European regulators it is languid.  

The Australian Communications and Media Authority sued Optus in the Federal Court with the matter still ongoing.

The OAIC’s pursuit of penalties against Medibank also remains with the Federal Court.

And there are several class actions by law firms against Medibank which remain on foot.

The 2022 breaches did spur privacy reforms by the federal government in December, including greater powers for the OAIC, which can now hit companies with fines of up to $50 million for serious breaches (up from $2.2 million).

That is a welcome development and certainly more effective way of dealing with more egregious and straight forward breaches which can be dealt with expeditiously.  The Commissioner needs to take action publicly and regularly.  Time will tell whether that happens.  Until it does the attitude will not change and the poor practices will continue.  

A way to ‘take back control’

With regulator crackdowns and legal battles taking years, some experts say there is another proposed reform to address public distrust of companies holding their personal information.

What regulator crack downs?  The work rate has picked up but there is no discernible “crack down”. 

This is the “right to erasure”, which would allow people to force companies to explain what personal information they hold, what they do with it, and to delete or de-identify that information.

There is already a right of access under APP 12 and a right of correction under APP 13. They could be stronger and have too many exemptions.  The right to erasure would be a good reform.  The problem is whether it will make that much of a difference.  There will be a group of individuals careful about their privacy who will use that right.  There may be others who through circumstances become animated and use it.  And then there is the vast majority who will do little about it just as they do little about many of their other rights.  

Privacy experts such as University of New South Wales academic Katharine Kemp have argued that companies use a “self-serving” interpretation of current guidelines to collect as much customer information as they can, use it for more and hold it for longer.

Ms Kemp is 100% correct.  Companies interpret the APPs and the very general guidelines (where they exist) in the most general terms.  That does not mean those intepretations are valid.  The problem goes back to enforcement.  Test cases are required.  And they have not eventuated.  The Information Commissioner’s track record in the Federal Court has been poor.  Some of the Commissioner’s approaches has defied easy understanding.  I have appeared in two hearings in the Federal Court where the Commissioner was a party and came away less than impressed.

Some experts say the right to erasure, which has been in place in Europe since 2018, would help stop damaging data hacks.

It may help but I suspect only at the margins.  It may reduce the volume of data stolen.  It will not stop the hacks.  To do that would require a marked change of attitude and expenditure by companies. 

And it is a right that 90 per cent of Australians support, according a 2023 survey of about 1,600 people by the OAIC.

That is a result consistent with Pew research in the United States of America and polls in the United Kingdom.  People care about their privacy and want greater control over the information they usually have to hand over.  

Technology lawyer James North says he’s no privacy advocate — but giving people more control over how companies use their data can help address the fallout of data breaches.

I don’t completely agree with the conclusion.  Giving people more control over how companies use their data would aide in data minimisation and make companies actions in dealing with data more consistent, with the purpose for which the data was collected.  Again it comes down to enforcement.  Companies will not change their behaviour because some people ask to erase their personal information.  

James North, who heads the technology practice at law firm Corrs Chambers Westgarth, says there is “a growing sense in the community that … people want more control over their data”.

Very true.  Polls for over a decade have shown that people care about their privacy and there has been a growing feeling of unease about the amount of personal information that must be handed over before a necessary service is provided.  Telecommunications companies are egregious offenders in this regard.  They say they are only complying with the law.  There is an element of truth in that but there is a gross over caution as well.  Real Estate agents are also notable over collectors of information from prospective renters.  

He says people have the right to “have the data about you corrected … but you don’t have an explicit right to say, ‘Don’t use my personal data'”.

True.  

“I’m obviously not a privacy advocate, I work for big clients and assist them to comply with laws.

“But data minimisation, not collecting data that’s not required for identity checks for example, and having these avenues for consumers to understand what information companies have about them and making sure that it’s appropriate — and for companies to delete information when it’s no longer required — it’s much better than having a breach and then a class action.

Agree.  But much of that comes down to making companies realise that the price of not complying with the law is too high.  Only when companies realise that they and their directors will suffer real damage  of being publicly sued by the regulator in a firm, timely and assertive manner will there be a change in the market place.  There will always be outliers but if the attitude is changed to one of compliance because the consequences of the alternative are too horrible to contemplate then data breaches will diminish and the extent of the damage will not be as great.

“That’s in no-one’s interests.”

Removing a ‘honey pot for cybercriminals’

Professor Ko says the reform would be “a great move, and a great direction, especially given the fact that individuals can hold companies or organisations to account”.

Again, a good reform but only a small part of a bigger effort required.

“In terms of implementation, if it’s just within an organisation, the right to erasure is actually technically possible,” he says.

True.

“It also gives the organisations an opportunity to look into how to communicate that with customers, like, ‘If we collect your data, it’s used for this, and when you’re no longer a customer with us, we’ll be deleting this, and you know you can call us’.

Getting companies to take this approach will be something to behold.  Companies are often resistant or just unduly process oriented (and slow) to requests for access under APP 12 and 13.  The new right will not change that mindset of itself.  Bringing action against the companies or getting the regulator to take action is the answer, in the immediate term.  

I don’t think it in and of itself will reduce the volume of data held and thereby remove the honey pot effect. Getting the companies to be more refined in their collection and deleting personal information when it is no longer needed is vital.  Requiring companies to have proper cyber defences, training, processes and protocols in the handling and storage of personal information, the issuing of credentials and controlled access by third party providers is equally important.

Government ‘taking time’

The Albanese government agreed “in-principle” to the reform in 2023, subject to exceptions in the public interest, including for law enforcement and national security.

A spokesman for Federal Attorney-General Michelle Rowland says the government is “aware of the significant impacts of data breaches on people whose personal information has been compromised, often without their knowledge, and is committed to protecting the privacy of all Australians”.

He says the government is “continuing work on a further tranche of reforms”.

But he declined to say when it planned to introduce them – or whether they would include a right to erasure.

The reform process has been unnecessary slow and marked by timidity.  The most significant Australian Law Reform Commission Report was handed down in 2008. The reforms in 2014 were piecemeal.  The 2014 Australian Law Reform Commissioner Report on digital privacy was not acted upon.  Instead the Attorney General’s Department did a review from 2019 until 2023 when the government accepted some but not all of its recommendations 

“The government is taking the time needed to get the balance right between protecting people’s personal information and allowing it to be used in ways that benefit individuals, society and the economy,” he says.

This government, the Morrison government, the Turnbull government, the Abbott government, the Gillard government and the Rudd government have all had ample material in the form of Australian Law Reform Commission reports and hundreds of submissions and far superior models of privacy legislation in the United Kingdom, Europe (the GDPR) and even parts of the United States of America to work with.  That statement constitutes weasel words and attempting to defend the indefensible and ongoing delays.

“We know this is a complex policy area and engages a wide range of stakeholders with diverse perspectives and interests.”

All of the stakeholders have put in many reports over the years. The position of the parties have not change one iota.  Business and media groups are generally against robust privacy protections.  Government agencies, police forces and national security bodies may support the principle of privacy protection but want (and too often get) significant carve outs and exemptions when it comes to their handling of data.  The Government understands but does not relish having to reform the Privacy Act so it is completely fit for purpose because that would aggravate those interest groups.  But those changes are needed.