March 22, 2023

How Australia Fell Behind on Data Privacy

4 min read

A recent spate of cyberattacks have highlighted the nation’s relatively lax approach to safeguarding personal data. But change may be on the way.

It seems like we’re seeing a cyberattack on a major Australian company every week. After the Optus breach — the biggest in Australian history, with the personal information of 9.8 million customers compromised — a Woolworths subsidiary reported that 2.2 million customers’ data had been exposed in a cyberattack. The online wine retailer Vinomofo announced a breach. And Medibank is contending with extortion threats after a cyberattack last week that saw customer data, including sensitive medical information, exposed.

We’re living in a dangerous new era, according to Clare O’Neil, the cybersecurity minister, and these kinds of cyberattacks will become only more common.

What we’ve seen in the last month shows that we’re “behind the eight-ball,” she said today . “We need to really step up our game in Australia in terms of policy, in terms of citizens and in terms of how we think about this problem.”

So how did we fall behind? And what can we do now? I talked to two experts, Brendan Walker-Munro, a senior research fellow with the University of Queensland’s Law and the Future of War research group, and Tony Song, a University of New South Wales law and justice research fellow, to find out.

For the past two decades, in the post-9/11 environment, they said, Australia’s legislative focus has largely been on granting law enforcement and intelligence agencies access to personal data. Questions of data privacy, as a result, fell to the wayside.

While Australia faces the same challenges as other countries, like regulations struggling to keep up with technological advancements, some other jurisdictions have been quicker to respond to changing consumer attitudes, Dr. Walker-Munro said. Whereas here, until now, “there hasn’t been a really big strong push from consumers to say, ‘This is not an acceptable way of doing business.’”

Australians have a generally lax attitude to data privacy, he said, as an extension of our generally relaxed culture. “We’re all just kind of like, ‘Yeah, it’ll be all right, we’ll sign over our information to these big companies and trust them to do the right thing,’ instead of going ‘Why does the company need this information? Once you’re satisfied I’m me, why do you need to keep my passport number, my Medicare number? If you can’t answer that question, then get rid of it.”

Of course, some companies, like medical insurers, are always going to need to keep sensitive data. But there are already signs of consumers starting to challenge data-gathering practices in some industries, like the real estate sector, where renters can be asked to provide immense quantities of personal information.

The government’s strong response to the Optus data breach was promising, Dr. Walker-Munro said, as is the fact that in the past few years, some departments, like Home Affairs, have already started thinking about data as a “national asset,” which should be protected in the same way as we’d protect something critical to the business economy, like an oil refinery or a power station.

Australia isn’t lagging egregiously behind other countries, said Mr. Song, who estimated that we’re to about 75 percent of where he thinks we need to be. The other 25 percent would be taking away some of the current broad discretion companies have to retain data if they can argue it serves a legitimate purpose.

The European Union, for example, has the “right to be forgotten,” under which consumers can instruct a company to delete their personal data if it no longer serves the purpose it was originally collected for. Under this law, if a customer moved from, say, Optus to Vodafone, she could request Optus to delete all her personal data.

Fines could also be increased, he said. In the E.U., the authorities can impose fines of up to $19.5 million (20 million euros) or 4 percent of worldwide profits, whichever is higher, for breaches of its privacy laws. In Australia, the maximum penalty is $1.4 million (2.2 million Australian dollars) and even that is rarely imposed; fines in the thousands or tens of thousands of dollars are more common, he said.

The best thing that an overhaul to the law could do is change the culture, he added, so that legislators, companies and consumers all know that “privacy has to be not just ticking a box but something they need to critically think about and address.”