Australia should adopt 'gold standard' in data laws after Optus leak
Changing to the European Union standard would add significant penalties for companies and protections for consumers, says a UNSW expert in the future of law.Ìę
Changing to the European Union standard would add significant penalties for companies and protections for consumers, says a UNSW expert in the future of law.Ìę
The federal government should urgently adopt measures like the European Unionâs General Data Protection Regulation (GDPR) to protect Australians after the massive Optus data breach, said a UNSW Sydney law expert.
UNSW Law & Justiceâs Tony Song, who is a Research Fellow for the NSW Law Society's Future of Law and Innovation (FLIP) research stream, said the serious data breach at Optus that exposed millions of Australians to fraud should spark a complete overhaul of the nationâs protections for consumers.
Australians this week were coming to understand the seriousness of the exposure of their personal data and the complexity of the steps they must now take to protect themselves against identity theft after the Optus breach.
The data of almost 10 million Australians were exposed, with 2.8 million people having important identity documents exposed including passports and driver's licences.Ìę
âI think our laws should at the very least be updated to match the EUâs GDPR, which has become something of the gold standard for data protection regulation,â Mr Song said.Ìę
Described as the âtoughest privacy and security law in the worldâ, the is a legal framework on data protection and privacy that was put into force by the European Union (EU) on 25 May 2018.Ìę
Mr Song said the GDPR is considered a revolutionary law not just for its , but also in its law-making process, representing the culmination of six years of negotiation between member states in the EUâs institutional structure that includes the European Parliament, European Council and European Commission.
âThis means increasing the penalties not just for the cyber criminals, as suggested by Shadow Home Affairs Minister Karen Andrews â as this will not effectively deter bad actors, who will assume they will not get caught anyway â but actually for the companies that hold, use and process all our data,â he said.
âOur current $2.2 million limit [in corporate penalties for breaches] is nothing compared to the GDPRâs maximum of $20 million euros or 4 per cent of the firmâs worldwide annual revenue. For many large tech companies, that is still peanuts to them.â
Read more:Â
While passed by the EU, the GDPR is designed to apply regardless of jurisdiction, Mr Song said.
This means the GDPR has extra-territorial scope, so that it requires any country or organisation outside the EU doing business in the EU (anyone âprocessingâ or âcontrollingâ EU data) to comply with GDPR obligations.Ìę
âWhile the GDPR is not perfect, it still represents the current world standard for privacy protection, and at the very least serves as a base-layer foundation for information and data protection law to build up from,â Mr Song said.
Australia is in the process of reviewing the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which is significantly based on requirements and concepts found in the GDPR and the California Consumer Privacy Act of 2018.Ìę
âThis Bill has been in the pipeline for a while, so the news articles extolling that new laws will be enacted in response to the Optus breach are only half-correct. While the Optus breach will no doubt prioritise attention to rushing the Bill through, these laws were already in the process of being reformed even before the incident,â Mr Song said.
Mr Song said that changes for companies and consumers could include:
Mr Song said that besides benefits for consumers in the longer term, this suite of potential changes could have significant benefits for companies.Ìę
âBy harmonising or adopting GDPR-style framework, it could improve trade and collaboration between Australia and the EU, and greatly improve the prospects of finalising the free-trade agreement with the EU that Australia is ...Ìęnegotiating on,â he said.
Mr Song said Optus faced three main ramifications: a regulatory enforcement response, civil litigation including class actions, and the effect on Optus' reputation.
âFirst, as this is the second large data breach by Optus in recent years, they will face additional scrutiny from the Office of the Australia Information Commissioner, the regulatory body responsible for investigating breaches of privacy in Australia.
âUnder Section 13G of the Privacy Act 1988 (Cth) an organisation that seriously or repeatedly interferes with the privacy of an individual or individuals may be subject to civil penalties up to 2000 penalty units or $2.2 million. Of course, the loss of customers, legal costs, and additional expenditure on upgrading their systems will also be very costly,â he said.
Mr Song said the second effect would be the risk of a series of civil cases, including class actions.
âSlater & Gordon are already preparing for one, allowing affected customers to register their interest on the website. is currently running their class action against Optus for their earlier breach in 2020.
Read more:Â
âHowever, privacy on its own is a very high bar to set for damages, and for a class action to be brought you need substantial losses so that it is worthwhile for the lawyers/funders to pursue.
âThe present problem here is identifying any loss or damage,â Mr Song said.
The third effect could in some ways be the most serious for the company â lasting damage to its reputation.Ìę
âOptus has lost the trust and confidence of its customers, in the case of some, forever. Trust takes years to build, and seconds to destroy. Optus now faces a long and expensive road ahead to rebuild that trust,â Mr Song said.Ìę
The number of customers affected and the serious nature of the information leaked meant the situation was âextremely seriousâ.
âDriver licence information and passports are particularly serious given the risk of identity theft, and customers will not be happy that they are now exposed to any potential costs from identity fraud,â he said.