Secret’s out: The truth about Australian privacy law

Personal information has become a hot commodity in recent years, since the internet has enabled companies to generate huge profits by selling consumer data. 

On one hand, this resource makes it possible for companies to offer more targeted customer service, because they can predict things like spending habits and better anticipate the needs of their communities. On the other, malicious or mistaken breach of sensitive data can cause very serious consequences ranging from financial loss, reputational damage, loss of employment or business opportunities, and emotional distress. In the worst cases, it can even cause public harm by unduly influencing things like politics.

Australia has had statutory privacy protections since 1988. However, these are being tested in a multitude of different ways as increasingly savvy consumers begin to question how their data is really being used.

In April this year, Maurice Blackburn launched a class action against telecommunications operator Optus, accusing it of disclosing the personal details of 50,000 customers. The information included mobile phone numbers and addresses, which were mistakenly published in the White Pages, both online and in print.

The complaint alleges Optus disclosed private information originally collected for another purpose, namely the provision of the company’s services, and failed to take steps to protect the privacy of its customers. It’s the first class action filed against a telecommunications company seeking compensation for breach of privacy, and will provide an important test for the country’s privacy laws. 

“These kinds of privacy breaches are commonplace and often there are very few serious consequences for companies that engage in them. That’s not a good outcome,” says Elizabeth O’Shea, a senior associate at Maurice Blackburn. 

“This affected a very large number of people, and that’s a cause for concern. We need to hold companies responsible when they don’t take privacy seriously, or they will think they can engage in breaches without consequences. Companies need to make sure they’ve got security measures in place to avoid disclosure of personal information in ways other than those in which they’re authorised.”

O’Shea tells LSJ that regulation is important because privacy is essentially a collective right.

Worldwide consequences

Data management was thrust into the spotlight with the infamous Cambridge Analytica scandal of 2018. The British political consulting firm, which worked on Donald Trump’s presidential campaign in 2016, harvested millions of people’s personal data from Facebook without their consent via a third-party application called This Is Your Digital Life. It then leveraged the insights it gleaned to create targeted political advertising. It’s the largest breach in Facebook’s history, affecting an estimated 87 million users.

The issue came to light when whistleblower Christopher Wylie, a former employee, revealed the company was essentially conducting a mass public experiment. It took Facebook CEO Mark Zuckerberg five days to respond when the news broke, eventually acknowledging that the scandal was “a breach of trust between Facebook and the people who share their data with us and expect us to protect it”.

Much of the media coverage at the time focused on the 50 million Americans who were affected, and the scandal’s potential influence on the outcome of the 2016 American presidential election. 

However, in March the Office of the Australian Information Commissioner (OAIC) lodged proceedings against the social media juggernaut in the Federal Court. The claim alleges the circumstances arising from the Cambridge Analytica scandal also seriously and repeatedly contravened Australian privacy law. OAIC says 311,127 Australians were affected by the breach.

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Commissioner Angelene Falk said in a statement. “We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.”

A month later, the court granted leave for the documents to be served on Facebook in both the US and Ireland. Judge Thomas Thawley held the material demonstrated a genuine argument and that it was significant enough to justify calling the respondents to Australia so it could be judicially determined.

Trouble with proving harm

One of the biggest difficulties with pursuing issues such as this is proving harm. O’Shea notes it will be one of the most interesting aspects of Maurice Blackburn’s class action, particularly given the fact that the class is so large. It’s a sentiment echoed by privacy experts throughout the profession.

Kieran Doyle is a partner at Wotton + Kearney, where he leads the Australian cyber risk and breach response team. He says new mandatory data breach laws, which came into effect in 2018, are a good start to bolstering the country’s privacy laws, but observes there are still a lot of gaps.

“One of the key issues is that we keep bolting privacy laws onto the Privacy Act, which for businesses [is] 20 years old, so it’s not keeping up with the pace of technology and change. That’s a really big issue,” he tells LSJ. 

“It’s interesting that our law is focused on the protection of information, rather than the protection of the individual – it actually doesn’t give individuals rights. That can lead to gaps, particularly in a global context where most other laws focus on protecting the residents of the jurisdictions where they apply.”

As an example, he says, an Australian could have quite a significant personal information breach in New York, but the law only protects residents of New York, so unless the business that was responsible for the breach was carrying on business in Australia, or collecting information in Australia, there may be no remedies available.

“There’s no tort of privacy in Australia, which is one of the biggest problems in our law. It’s been talked about for a long, long time. My view is that it will come eventually, whether that’s by statutory right or the evolution of case law. Certainly, some of these class actions and regulatory actions might help in establishing that,” he says. “But for right now, our Australian law is falling quite far behind.”

Global privacy standards

Many consider the General Data Protection Regulation (GDPR), which came into effect in the European Union in 2018, to be the gold standard in privacy protection. According to the EU, it’s the “toughest privacy and security law in the world”, and it imposes obligations on organisations all over the world that are targeting or collecting data related to EU citizens. The GDPR’s roots link back to the 1950 European Convention on Human Rights, which states that “everyone has the right to respect for his private and family life, his home and his correspondence”. Penalties can reach tens of millions of euros.

The United Kingdom also has much more comprehensive rules around privacy. As COVID-19 broke out around the world, forcing millions of people to swiftly adapt to working from home, video-conferencing app Zoom exploded in popularity. It was used by people in all professions, including the legal sector, but it wasn’t long before concerns were raised about the security of information being exchanged.

In March this year, an investigation by Vice Media Group’s Motherboard reported that Zoom’s iOS app was sending data for Facebook, even relating to people who didn’t have a Facebook account, and observed that the company’s privacy policy didn’t explicitly mention the possibility of a data transfer. Data collected included the model of the user’s device, which phone carrier they were using, their time zone and city, and information that could be used to target users with advertisements.

The company has since removed the Facebook software and updated its privacy policy, however, lawyers in the United Kingdom have noted that Zoom is potentially at risk of compensation claims.

Such action is not possible in Australia. While we have common law protection of confidential information, which includes potential awards of damages, and the Privacy Act, we lack a law that gives people the right to claim damages for release or misuse of private information.

Informed consent is critical

Many Australians would be shocked to know where and how their data is really used. Last year, an investigation by ABC’s 7:30 revealed that gambling firm Sportsbet was using de-identified customer transaction data from National Australia Bank (NAB) account holders to fine-tune its ads. NAB’s privacy policy omitted to explain information would be passed along to an analytics firm, and other parties.

In 2018, another ABC investigation found that HealthEngine, Australia’s biggest medical appointment booking platform, was sharing people’s personal information with personal injury law firms.

Ian Aldridge, Founder and Principal at Progressive Legal in Darlinghurst, specialises in helping small businesses. He says comprehensive privacy policies should be considered as part of the essentials of setting up a business, alongside company registration and governance documents. However, he says too often they’re pushed to the side until businesses take off, which can have very serious consequences.

“There are a lot of people running around without them, and for some of them it’s actually mandatory. If you’re doing less than $3 million dollars annually, you don’t need one under the Privacy Act, unless you’re collecting certain types of information – health, medical – then you do. The truth is that even if you aren’t required to have one by law, it’s good practice for all businesses to get one,” he tells LSJ.

Clients are becoming increasingly savvy as more and more businesses move online, which is why Aldridge likens privacy policies to insurance policies. Sometimes, things go wrong, which is why it’s critical that businesses disclose all contractual information and privacy policies prior to purchase, and that all reasonable efforts are made to ensure they acknowledge and agree to terms and conditions.

“The consequences of getting it wrong can be disastrous, and for a small business, potentially business-ending,” he says. “If it comes to a tribunal and you don’t have any terms and conditions around privacy, you’re in big strife. If they’re not clearly laid out in plain English, with no ambiguity and nothing contradictory, it can be a problem. It’s almost a reverse onus of proof – only once a business owner can prove they’ve done A, B, and C, will they ask the consumer what they have to say about it.”

Privacy best practice

Australia is not immune to large-scale privacy breaches, which means strong consumer protections are imperative. A 2019 report published by the OAIC about its notifiable data breaches scheme found that 60 per cent of data breaches were the result of a malicious or criminal attack, while 35 per cent occurred due to human error. The health and financial sectors were found to be most at risk.

“Unless people realise this can happen to them, they won’t take it seriously,” says Sylvia Choa, a cybersecurity expert at technology advisory firm KJR. 

She tells LSJ that best practice requires three things. First is minimising data collection and only recording what is actually needed, second is opening a two-way conversation with consumers to ensure consent is given, and third is improving data security.

That means corporate box-ticking is no longer good enough. On top of legal protections, such as the implementation of robust privacy policies, Choa says privacy and cybersecurity training must be conducted regularly, and it must be made relevant to the employees, because education and awareness is the key to protecting sensitive information and avoiding the consequences of a breach.