By Professor Dan Svantesson, Director of the Centre for Commercial Law at Bond University.
There’s been a lot of focus on the need for individuals to take care with their personal information online after massive data breaches at major companies including Optus and Medibank leading to the data of millions of Australians being potentially compromised.
But when it comes to the safety of their personal information, Australians are being let down by the very systems of legislation that are designed to protect them.
Last week’s data breach at one Melbourne office of a real estate agency was the latest to lay bare the dangers resulting from weaknesses in Australia’s privacy regime. Personal information including copies of electronic signatures and in some cases financial details of customers were exposedto hackers. According to latest reports 9.7 million people were affected by the Medibank data breach, and we’ve already seen the costs mounting after the Optus data breach, with VicRoads pledging to replace the licences of all drivers whose information was impacted.
We’re often told we need to be careful with our data but there’s only so much you can do when so many daily interactions essentially force you to hand over your data. You can refuse to use the renting agent’s third-party app to apply for that property, but you can kiss goodbye any chance of securing that particular roof over your head.
This is where they get you, because under the privacy laws in Australia - assuming the company you’re dealing with is even covered by them – once you’ve ticked that box saying you agree to the terms and conditions you have consented.
In circumstances like this, I’d argue that calling it ‘consent’ is questionable. Consent is meant to be both informed and freely given. When the option is ‘use this system or don’t bother applying’ consent is hardly ‘freely given’. And it’s pretty difficult to be ‘informed’ when that requires reading pages and pages of legalese from every organisation and third party that your data may or may not be given to as part of your reward for ‘ticking the box’.
Consent works a bit like a miracle cure when it comes to privacy issues. When you consider consumer protection law, for example, clauses that organisations may include in their terms and conditions are ignored when they don’t align with the basic protections provided to consumers in that legislation. It’s a significant problem in privacy law and there needs to be reform in this area to better protect people.
It’s a similar situation to the one phone providers found themselves in several years ago over complex phone plans with jargon-filled terms and conditions that led to vulnerable Australians incurring significant debts.
One of the solutions brokered was the requirement for all contracts to come with a ‘plain English’ cover note that clearly set out the terms of the contract and how much in total customers could expect to pay over its duration.
Something similar could help address some of the weaknesses is privacy law and work on this is already underway, with academics undertaking research to devise a traffic sign-style system using visual symbols to help people better understand what happens to their data.
It would be a good start, but it won’t much help renters, for example, who have filled in hundreds of applications with dozens of different companies – that's still a lot of reading!
It also doesn’t address the issues around long-term storage of identity data. For businesses captured by the privacy act – it only applies to those with turnover of $3 million or more – the privacy principles state they should only collect what’s needed and when it’s no longer needed, they must take steps to destroy or deidentify the information. It’s clear that’s not happening.
I suspect the refrain from companies about the law ‘forcing’ them to keep the data for 7 years is a misinterpretation. Often it’s simply easier to store the data than have processes for destruction or safely de-identified storage of such data. It’s easy to see why big companies take this approach. It’s another weakness in the legislation. The penalties for breaching the act are so small in Australia that it’s often cheaper for companies not to comply with the act and risk a fine.
These issues can only be resolved with legislative change. It’s fine for government to be horrified by these breaches, but ultimately they need to step up and make some change.
We have known about these issues for many years and have been writing and talking about them. It’s a shame it has taken breaches the magnitude of the ones we have seen recently, and that so many people have been negatively impacted, to see possible change.