Late September data privacy muscled its way onto the centre stage courtesy of Optus and some as yet unnamed hacker.
The Federal Government’s response was – appropriately – to allow Optus no easy alibis; but also to propose unspecified stronger legislation to protect the private information of Australians.
There is a case for stronger legislation. But there is a much stronger case properly to enforce the privacy legislation already on the statute books.
My privacy law involvement goes back more than half a century. Unlike in Bryan Adams’ song “Summer of ’69”, every spare moment of my summer of that year was spent – not “standin’ on your mamma’s porch” or learning to play guitar “till my fingers bled” – but in the ANU Law Library researching my honours law thesis on privacy protection.
In the mid-1980s I was heavily involved in formulating the Australian Law Reform Commission’s proposals which became Australia’s first Privacy Act – the Privacy Act 1988 (Cth). Although significantly amended, that Act remains the centerpiece of Australian privacy law.
This millennium, for more than seven years I was the Privacy Officer of the CPA – Certified Practising Accountants, Australia.
Optus’ treasure trove of personal data
The Australian public – me included – was startled to learn of the scope and size of Optus’ holdings of personal data: Medicare numbers, passport numbers and drivers licence numbers included. Optus’ trove contained personal data on half the adult population of Australia – now hacked and private no longer.
Australian Privacy Principles
The cornerstone of the Commonwealth’s Privacy Act is the Australian Privacy Principles.
These Principles have the force of law. Centrally relevant to the September Optus hack of nearly ten million Australians are the rules:
- that Optus and the like must not collect personal information which they don’t legitimately need to collect
- that the Optuses of this world must not retain personal information which they don’t legitimately need to retain
- that they securely protect such information; and
- that if the information is no longer required, they delete and destroy it.
Presumably Optus’s purpose in collecting such information as Medicare numbers, passport numbers and drivers licence details was to verify the identity of aspiring telecommunications customers. Once those ten million customers were identified, the law required that their information be destroyed. Plainly, Optus was not doing those things. Optus should be prosecuted and it should be heavily punished.
I am very confident, however, that Optus is just one of many, many businesses – large and small – that plays fast and loose with the Australian Privacy Principles – and hence with the law on this important aspect of life in the data age.
Office of the Australian information Commissioner (OAIC)
Which brings us to one of the fundamental problems with privacy regulation in Australia: enforcement of the laws which are on the statute book is weak and haphazard. Enforcement is the responsibility of OAIC. The OAIC also has responsibility for ensuring that federal Freedom of Information laws are properly administered
The OAIC has been derelict in its duties both on data privacy and FOI. Notoriously, delays and inaction mark the OAIC’s performance as the public’s watchdog. The OAIC is more docile Newfoundland than junkyard dog.
If cornered, the OAIC would probably say that it is grossly under-resourced. That complaint is probably justified. However, statutory authorities with important public functions have an overriding moral obligation to complain publicly and loudly if they are prevented from doing their jobs.
The most recent Annual Report of the OAIC is dated October 2021, and runs to 171 pages. Its reference to resourcing constraints is muted in the extreme – a bare, two word reference in the “Commissioner’s review” to “resourcing issues” is as strident and as transparent as it gets. “Don’t mention The War!”
A related issue, often categorised as one of privacy, is spam emails. I get literally hundreds of unsolicited commercial emails every week. Most don’t even have responsive unsubscribe functions. They come from businesses large and small.
There are very large penalties for sending spam commercial emails. Countering spam emails is not the function of the OAIC but of a different Commonwealth agency – the Australian Communications and Media Authority (ACMA).
I know from unhappy experience that it is likely to be a waste of time complaining to ACMA. But as I write this article, I will suspend disbelief and give it a go. (I’m not holding my breath).
Damages for privacy breaches
In the United Kingdom and New Zealand, a person can sue directly for substantial damages for a breach of the privacy of their personal data.
There is no such right in Australia. By a convoluted process a person can get damages following determinations by the OAIC. However the damages which can be awarded are limited to non-economic loss; and those are for relatively piddling amounts. The OAIC’s only determination for damages in the past 12 months was for $5,000.
Early last year, the Department of Home Affairs was ordered by the OAIC to pay compensation to nearly 1,300 people, including many refugee applicants, who had been in immigration detention. The Department had negligently published their private data – quite a concern if, for example, a person is fleeing persecution by an oppressive government. I have argued in the Federal Circuit Court about the concern caused to my Tamil refugee clients by the public disclosure – accessible to the Sri Lankan Government – of their identities as people claiming to fear persecution by that Government.
The OAIC’s determination in the Home Affairs’ data breach case included provision for compensation of, for example, between $500 and $4,000 for a person suffering “General anxiousness, trepidation, concern or embarrassment”; with the possibility of going over $20,000 for a person suffering “Extreme loss or damage”.
There is also the possibility of getting damages for breaches of data privacy based on claims such as breach of contract, breach of the Australian Consumer Law or negligence – but no right to sue directly for a breach of the privacy of one’s personal data.
Give us a right to sue for privacy breaches
The cosy Australian approach whereby under-resourced statutory authorities are meant to keep the bastards honest has failed.
One law reform which should be enacted following the Optus debacle is to give Australians the right to sue directly for substantial damages for breaches of the privacy of their personal data.