Skip to main content
Start of main content.

Plugging the leaks in privacy law

Dan Svantesson

By Professor Dan Svantesson, Director of the Centre for Commercial Law at Bond University. 

There’s been a lot of focus on the need for individuals to take care with their personal information online after massive data breaches at major companies including Optus and Medibank leading to the data of millions of Australians being potentially compromised. 

But when it comes to the safety of their personal information, Australians are being let down by the very systems of legislation that are designed to protect them. 

Last week’s data breach at one Melbourne office of a real estate agency was the latest to lay bare the dangers resulting from weaknesses in Australia’s privacy regime. Personal information including copies of electronic signatures and in some cases financial details of customers were exposedto hackers. According to latest reports 9.7 million people were affected by the Medibank data breach, and we’ve already seen the costs mounting after the Optus data breach, with VicRoads pledging to replace the licences of all drivers whose information was impacted. 

We’re often told we need to be careful with our data but there’s only so much you can do when so many daily interactions essentially force you to hand over your data. You can refuse to use the renting agent’s third-party app to apply for that property, but you can kiss goodbye any chance of securing that particular roof over your head.  

This is where they get you, because under the privacy laws in Australia - assuming the company you’re dealing with is even covered by them – once you’ve ticked that box saying you agree to the terms and conditions you have consented. 

In circumstances like this, I’d argue that calling it ‘consent’ is questionable. Consent is meant to be both informed and freely given. When the option is ‘use this system or don’t bother applying’ consent is hardly ‘freely given’. And it’s pretty difficult to be ‘informed’ when that requires reading pages and pages of legalese from every organisation and third party that your data may or may not be given to as part of your reward for ‘ticking the box’. 

Consent works a bit like a miracle cure when it comes to privacy issues. When you consider consumer protection law, for example, clauses that organisations may include in their terms and conditions are ignored when they don’t align with the basic protections provided to consumers in that legislation. It’s a significant problem in privacy law and there needs to be reform in this area to better protect people. 

It’s a similar situation to the one phone providers found themselves in several years ago over complex phone plans with jargon-filled terms and conditions that led to vulnerable Australians incurring significant debts. 

One of the solutions brokered was the requirement for all contracts to come with a ‘plain English’ cover note that clearly set out the terms of the contract and how much in total customers could expect to pay over its duration. 

Something similar could help address some of the weaknesses is privacy law and work on this is already underway, with academics undertaking research to devise a traffic sign-style system using visual symbols to help people better understand what happens to their data. 

It would be a good start, but it won’t much help renters, for example, who have filled in hundreds of applications with dozens of different companies – that's still a lot of reading! 

It also doesn’t address the issues around long-term storage of identity data. For businesses captured by the privacy act – it only applies to those with turnover of $3 million or more – the privacy principles state they should only collect what’s needed and when it’s no longer needed, they must take steps to destroy or deidentify the information. It’s clear that’s not happening.  

I suspect the refrain from companies about the law ‘forcing’ them to keep the data for 7 years is a misinterpretation. Often it’s simply easier to store the data than have processes for destruction or safely de-identified storage of such data. It’s easy to see why big companies take this approach. It’s another weakness in the legislation. The penalties for breaching the act are so small in Australia that it’s often cheaper for companies not to comply with the act and risk a fine.  

These issues can only be resolved with legislative change. It’s fine for government to be horrified by these breaches, but ultimately they need to step up and make some change. 

We have known about these issues for many years and have been writing and talking about them. It’s a shame it has taken breaches the magnitude of the ones we have seen recently, and that so many people have been negatively impacted, to see possible change. 

More from Bond

  • Khawaja puts Stern defence of cricket formula to the test

    Cricket star Usman Khawaja's MBA mind challenges Professor Steven Stern's defence of the Duckworth-Lewis-Stern method.

    Read article
  • A construction degree for the digital age

    Bachelor of Design in Architecture alumnus Ryan McKillop explains why Bond's Master of Building Information Modelling and Integrated Project Delivery was the clear next step to accelerate his career.

    Read article
  • No lab, no problem: Virtual Scientist takes experiments to remote students

    Three Bond University academics have received another accolade for creating a website where students conduct virtual experiments.

    Read article
  • Let the buyer beware of auction loopholes

    Homebuyers can be caught out by a little-known auction loophole. Property expert Professor Alan Patching shares his tips.

    Read article
  • To the uni student who feels like something is missing…

    Starting university is an exciting time, but for Charlotte Gibbs, her first experience at a big uni interstate just didn't feel 'right'. After visiting Bond and the Gold Coast, though, things immediately clicked into place.

    Read article
Previous Next