By Dr Bruce Baer Arnold -
Trust – whether in governments, businesses or other people – is the foundation of Australia as a liberal democratic state. The recent data breach at Optus has highlighted an uncomfortable truth about the level of trust we place in organisations. Timely and credible responses by stakeholders may restore trust in both public and private sector entities; however, there is still work to be done.
Our trust culture differentiates us from the disengagement, coercion and endemic corruption apparent in regimes such as Putin’s Russia and the Taliban’s Afghanistan. Trust enables a rule of law, as distinct from the often arbitrary rule by law in those regimes. It is eroded through perceptions that governments have been captured by particular stakeholders or driven by technological imperatives badged as “e-government”. It is also eroded by failures within non-government bodies as a result of defective design, inadequate supervision and unduly permissive regulation.
This article considers the September 2022 data breach at Optus, a dominant Australian telecommunication service provider, as a base for thinking about trust, law and community expectations. It suggests that the apparent disclosure of personal information about millions of people held by Optus is not exceptional. It also suggests that timely, credible responses by stakeholders will serve to strengthen trust in both public and private sector entities, underpinning community support for measures that on occasion will be onerous and require discussion about national values such as privacy.
The 2019 Election Study from the Australian National University reported that satisfaction with democracy is at its lowest level since the constitutional crisis of the 1970s, with trust in government having reached its lowest level on record. Just 25 per cent of Australians reportedly believe people in government can be trusted, 56 per cent believe government is run for “a few big interests” and only 12 per cent believe the government is run for “all the people”. That disquiet is increasing, with, for example, a 27 per cent decline since 2007 in stated satisfaction with how Australia’s democracy is working. The Study’s authors found that overall trust in government had declined by nearly 20 per cent since 2007; three quarters believe that people in government are looking after themselves. That data is consistent with findings from other studies, with reports of corruption at the national, state and municipal levels, alongside disillusionment about the absence of a moral compass among leaders, disregard of conventions through secret ministerial appointments and denial of responsibility for administrative failures such as RoboDebt. In part, the dissatisfaction reflects populist campaigning during successive elections and communities seeking reassuringly simple answers as they struggle with economic and social change. It also reflects incomprehension about the legal system, evident in an extreme form by adherents of the sovereign citizen mumbo jumbo.
Privacy is salient in the world of surveillance capitalism, big data and big breaches of data about individuals. That salience reflects the potential for harms – for example, misuse of identifiers to engage in identity crimes. It also more subtly, and from the perspective of trust equally importantly, reflects concerns that panopticism within the public and private sectors objectifies individuals in ways that erode autonomy and other aspects of dignity.
It is axiomatic that privacy, along with other human rights, is not an absolute. Exercise of entitlements such as voting and the benefits attributable to planning based on the national census necessitate some collection and, on occasion, verification of identity data. Provision of face-to-face and online services in the private sector similarly relies on data that is definitely or approximately associated with individuals. Provision of a range of data is unremarkable; however, people do have a reasonable expectation that such data will be both safeguarded and not misused by public/private sector entities that understand their activity as one of data ownership but might more positively think in terms of data custodianship.
One consequence is that people assume legislators will enact a range of fit-for-purpose legislation covering personal data, traditional practices such as peeping and prying, and administrative restraints on law enforcement activity such as strip searches and covert surveillance. In 2022, we have a complex body of national, state and territory legislation and administrative protocols regarding personal data, surveillance, identity verification and other matters that involve privacy. Much of that legislation is highly sectoral – for example, specific to the tax file number regime, personal health data, or particular surveillance technologies. Much is inconsistent or overlapping within or across jurisdictions. It is broader than “information privacy”. Incoherence aside, it fits awkwardly with community views regarding the importance of privacy (evident in recurrent studies) and with international benchmarks such as the EU General Data Protection Regulation and emerging legislation in the US such as the California Privacy Rights Act.
People also assume that, with the numerous integrity agencies, privacy commissioners and other entities with charters to oversee or implement, the law will both be capable and be seen to be capable. That assumption is often disappointing, given the reality that the privacy commissioners at national and state/territory levels continue to be underfunded (and on occasion subject to disruption through restructuring or threats of abolition), lack in-house expertise, are reluctant to engage with criticism and are susceptible to entities they are meant to regulate. They rarely rely on soft power in the form of timely public condemnation of inadequate practice, and in interpreting legislation such as the Privacy Act 1988 (Cth) emphasise lowest common practice rather than best practice. Regulatory failure results in distrust and disengagement, as do sporadic policy changes based on the “need to be doing something”, which might exacerbate problems.
Legal practitioners and civil society actors looking at the 2022 Optus data breach might accordingly ask whether large-scale foreseeable disclosure of personal data relating to millions of people is an inflection point – something that will result in better practice and increased trust – or privacy business as usual, in other words policy development and implementation as a matter of muddling through.
As of early September 2022, we do not know much about the Optus breach, in the same way that we do not know much about breaches at other telecommunication service providers, education institutions, health service providers and government agencies where there has been unauthorised (and avoidable) exposure of pathology test results, refugee applications, payroll details or other sensitive data. There has been conflicting information about what data has been exposed, who is affected and what copies of the data are available on the dark web. There have been expressions of outrage by consumers and condemnation by politicians, with criticism both of the breach and of Optus’s response.
Information about the event is trickling out, reviews are underway, and reassurance is being provided in a climate of fear and uncertainty. The national government is referring to the review of the Privacy Act that is underway. That review might be usefully informed both by reports from the Australian Law Reform Commission (ALRC) and the report by the Australian Competition & Consumer Commission (ACCC) on Digital Platforms, a forward-looking regulatory regime addressing concerns about overseas-based data giants such as Alphabet (Google) and Meta (Facebook) that have often been perceived as too big to regulate in the absence of international agreements alongside co-operation with key trade practices agencies in Europe and North America.
Responses to the Optus breach are relevant for trust, and from a consumer perspective are inadequate. The first response was a formulaic public apology provided in a media release, messages to individual consumers and full page newspaper advertisements. Globally we have seen a succession of apologies in which corporations (or, more rarely, chief executives) express regret, assure customers of their importance and voice a commitment to continuing the customer relationship. Such wording may be heartfelt, but, in an environment where trust has been eroded, it is likely to be taken with more than a pinch of salt. That is particularly the case where executives who have previously referred to corporate social responsibility retain their positions and do not forgo bonuses. Existing or increased bonuses after a large-scale breach are typically justified through reference to demands on executives for repairing the corporate brand after the unforeseen incident.
A second response was to offer short-term credit watch services, something relevant to financial data but not for most health data. Optus, for example, eventually announced that affected customers would receive services from giant credit referencing service Equifax. Optus customers might view that offer as a meaningful sign of corporate contrition. Privacy specialists would note that Equifax famously experienced a very large breach of data about its customers. During May and July 2017, the breach appears to have resulted in unauthorised disclosure of identifiers of about 147.9 million people in the US, and 15.2 million British citizens. The data included names, birth dates, addresses, Social Security numbers, driver licence numbers and credit card details. As with the failure of corporate rating and accounting giants to prevent harms such as Wirecard, Enron and the looting of Malaysian investment group 1MDB, we might wonder about the capability of guardians whose size means they can be trusted to provide solutions and can shrug off penalties that would destroy a smaller competitor. Presumably many Australian consumers will stay with Equifax once Optus stops paying for the support. Others may sign up with an Equifax competitor or simply hope for the best and wait for the next breach.
A third response, which we have seen with Optus, is to appoint consultants to conduct an independent investigation. Such investigations are not necessarily hard-hitting and fully informed. Like a succession of reports from the Office of the Australian Information Commissioner (OAIC) and other regulators, they rarely provide much detail to the public. The paucity of detail might be defended as sensible: a matter of not assisting hackers by providing insights about weaknesses within a specific organisation or across a sector where many businesses engage in similar transactions. From a cyber security perspective, we should hope that Optus readily shares its “learnings” with government agencies and competitors who are likely to face the same problems and have responsibilities under the national Security of Critical Infrastructure regime. The comprehensiveness and effectiveness of that sharing is a matter of trust.
Systemic failure within the finance sector was addressed through the Hayne Royal Commission, with hearings and reports that disclosed problems in leading corporations and affiliates that properly elicited expressions of outrage from journalists, politicians and members of the public. That outrage, and criticisms that regulators such as the Australian Prudential Regulatory Authority and Australian Securities & Investments Commission had been unduly permissive in supervising businesses and responding to alarms raised by borrowers, advisers and lawyers, gained media attention for several months. Promises of more effective regulation, including commitments to enact new fit-for-purpose legislation, were walked back as part of the national government’s response to COVID-19. Hayne provides a benchmark for assessing the likely outcomes of investigations into the Optus data breach and promises that amendment of the Privacy Act will either prevent or fundamentally mitigate future breaches in the finance, health, education, real estate and other sectors.
This article began by asking whether the Optus breach is a potential inflection point in community understanding of privacy and regulatory responses. Australian regulatory frameworks over the past 30 years have emphasised a “light touch” approach that is meant to reduce compliance costs, foster competition, encourage innovation and otherwise drive economic growth. An unspoken assumption has been that in such an environment consumers will discipline erring or disrespectful corporations by withdrawing their trust and shifting to a competitor. Through the ballot box, citizens will also discipline governments that fail to meet community expectations by weakening regulators and gatekeepers such as the Australian National Audit Office, obfuscating accountability through administrative barriers to information access under Freedom of Information schemes and disregarding recurrent calls by the ACCC to increase penalties to deter corporate misbehaviour.
Those assumptions are misplaced. It is likely that many disgruntled Optus customers will not switch to a competitor and thus will not discipline the disregard of their trust. Some will conclude that corporations such as Telstra have the same vulnerabilities and may indeed already have experienced breaches. That perception is correct: Telstra has recurrently experienced breaches and has not faced significant sanctions by the OAIC or the Australian Communications & Media Authority (ACMA). Counter-intuitively, some consumers are likely to experience data breach fatigue, lowering their vigilance (and their expectations of corporate performance) after concluding that data breach is inevitable. If you cannot trust a multi-billion dollar corporation to safeguard personal information and cannot rely on regulators to quickly, transparently and effectively require compliance, should we embrace the claim that “privacy is gone, so get over it” or the more subtle argument by a leading criminal law academic that a “right to privacy” is an indulgence by “woolly-minded members of the middle classes”, akin to belief in the tooth fairy? It is unclear whether that gibe is a matter of questioning the reality of human rights or simply of restating claims by law enforcement representatives that privacy gets in the way of effective (or convenient) policing and national security. The very comfortable member of the middle class denying the validity of privacy has, of course, sensibly chosen not to publish his personal data on the internet or walk naked down Collins Street during a Melbourne rush hour.
Disengagement from private care of personal data in a world of ongoing data breaches is exacerbated by consumer recognition that individuals are often required to provide personal data to government agencies, businesses, education institutions and other entities. Australia is both an information society and an identity state, with mandatory provision of personal data (often the same data) to a range of agencies, alongside provision of “proofs of identity” to non-government bodies in relation to, for example, renting a house, leasing a car, setting up a bank account and gaining a mobile phone. Living “off grid” is inconvenient; in practice it is impossible for most families and some sharing of personal data is a legitimate price to pay for entitlements such as voting, the public health system, aged care and other income support, and public infrastructure such as roads and dams. The abracadabra expressed by sovereign citizens does not make roads and hospitals appear out of thin air, and perplexes rather than persuades courts and tribunals.
Early reporting of the Optus breach featured forecasts of large scale class action against Optus, ironically an unrecognised echo of a much-publicised but stillborn US$70 billion claim over the 2017 Equifax breach. A succession of ALRC reports, state law reform commission reports and parliamentary committee reports have noted and broadly endorsed civil society calls for establishment of a statutory cause of action – often dubbed the privacy tort – for serious invasions of privacy. In ABC v Lenah Game Meats (aka the Possum Case) the High Court did not comprehensively and expressly reject the development of a common law cause of action, instead signalling that a remedy for egregious disregard of privacy might best be provided through statute. A privacy tort remains contentious. It would not necessarily substantively erode the implied freedom of political communication, end the viability of Australian media organisations, prevent investigative journalism, vitiate the nation’s confusing whistleblowing regime or replace disciplinary proceedings against officials who have exploited privileged access to databases in order to stalk ex-partners.
Unfortunately, such a tort appears very unlikely to provide an effective remedy for incidents such as the Optus breach. A key difficulty is causation. Optus, along with other public and private sector entities, will acknowledge that there has indeed been a breach. Is it however legally responsible for harms, as distinct from changing personal identifiers such as credit card details or gaining a replacement passport? Is the identity crime experienced by a particular individual or class of individuals definitely attributable to that specific breach or instead to another breach (or breaches, some of which may not be recent and indeed may not have gained much publicity)? One counter-intuitive effect of the Optus breach, alongside the data breach fatigue phenomenon noted above, is thus likely to reinforce distrust of the legal system, with some consumers concluding that private law remedies are either unavailable or ineffective and that the justice system is biased towards large corporations.
Establishment of a statutory cause of action for egregious disregard of privacy by individuals, corporations and government bodies is appropriate. The usefulness of such a tort and its shape is articulated in the law reform reports noted above. As with the eventual establishment of uniform defamation and corporations law, such reform is achievable by a progressive government alongside a community education campaign that, for example, engages with the Law Council of Australia and the individual law societies. The tort is not, however, a comprehensive solution that obviates the need for a broader community consultation regarding systematic improvement of privacy-related law across Australia. It also does not obviate the need for cultural change within the various privacy agencies, underpinned by greater resourcing and a shift away from lowest common denominator interpretation of the Privacy Principles that are expressed in key national and state/territory information privacy statutes.
The Optus breach is meaningful because of what data has been breached, rather than merely the number of affected individuals or the mechanics of what appears to have been a readily preventable breach. In response to policies dealing with counter-terrorism, welfare fraud, health practitioner regulation, money-laundering and professional qualifications, individuals in Australia are unremarkably required to provide public and private sector entities with a range of identifiers about themselves. Those identifiers assist billing (for example, by businesses such as Optus) and mandated identity verification, often on the basis of automated large-scale data matching. During the past three decades, governments have strengthened formal requirements for collection by private sector bodies of personal data and have increasingly sought to extend official access to associated data – for example, by mandating collection and retention of telecommunication traffic data under the controversial metadata scheme. Ongoing law enforcement and national security legislation has provided warrantless access, with administrative convenience being offset to some extent through oversight by specialist monitoring agencies alongside the under-resourced Ombudsmen. That oversight is one basis for trust.
The Optus breach reportedly features data from officially issued identity documents such as driver licences, Medicare cards and passports alongside data such as birth dates and less stable data such as email or physical addresses. Such data provides a basis for different identity crimes, especially if combined with other data elsewhere on the dark web or able to be obtained using data through impersonation based on the breach. There is disagreement about whether Optus needed to retain the data for its own purposes or for provision to law enforcement, particularly as some data appears to have been provided for gaining an account with the company several years ago and has not been in question.
It is highly likely that Optus’s competitors and many public/private sector entities have similar troves of data that should have been expunged proactively rather than being left to expand as an attractive target for a hacker. One positive outcome of the breach should accordingly be the development of an up-to-date framework for handling personal identifiers that are no longer needed, consistent with Privacy Act provisions regarding data disposal, and corresponding state/territory enactments dealing with health and other data. Unsurprisingly, the national government has, in response to the breach, been concerned to assist people who have been or might be affected by that breach. The response represents a conundrum: unauthorised sharing of data by Optus is to be addressed by a change to legislation that will authorise telecommunication providers to share more data with banks. The rationale for the extended sharing, which deepens the pool of data potentially available to hackers, is to prevent fraud. Details of the legislation are unclear and are likely to be shaped by the traditional closed-door consultations with industry. It is conceivable that it will encompass bodies other than banks, reflecting for example the development of the Consumer Data Right regime that is meant to foster growth of fintech providers alongside enabling consumers to switch accounts across lenders, insurers and utilities. The businesses will apparently be required to promise the ACCC that they will comply with privacy rules.
Importantly, the businesses and Optus are already required to comply with rules, so a more effective response ahead of future breaches – and the sharing with business partners permitted under contract law – would be to significantly strengthen the capability rather than just the formal authority of bodies such as the ACMA and the OAIC.
As a legal system we need a more nuanced, informed and less reactive privacy framework that anticipates the emergence of population-scale genomic data mining and precision medicine rather than traditional concerns regarding credit card misuse, phone number spoofing and driver licence fraud. Public and private responses to the Optus breach will build trust in law and administration if they encompass a cross-sectoral understanding of privacy values and trade-off, encourage systematisation of surveillance and data protection enactments across the jurisdictions, and reshape the very balkanised regulatory landscape.
