The federal government should urgently adopt measures such as the European Union’s General Data Protection Regulation (GDPR) to protect Australians after Optus’ massive data breach, a data protection expert has said. ‘UNSW Sydney.
Tony Song of UNSW Law & Justice, who is a research fellow for the NSW Law Society’s FLIP (Future of Law and Innovation) research stream, said the severe data breach at Optus which exposed millions of Australians to fraud should trigger a complete overhaul of the national system. protections for consumers.
This week, Australians were beginning to understand the seriousness of their personal data exposure and the complexity of the steps they now need to take to protect against identity theft following the Optus breach.
The data of nearly 10 million Australians was exposed, with 2.8 million people with key identity documents exposed, including passports and driving licenses.
What is GDPR and why should Australia adopt it?
“I think our laws should at least be updated to match EU GDPR, which has become something of the gold standard in data protection regulation,” Song said.
Described as the “strongest privacy and security law in the world”, the General Data Protection Regulation is a legal framework on data protection and privacy that has been brought into force by the European Union (EU) on May 25, 2018.
Mr. Song said the GDPR is considered a groundbreaking law not only for its severe and strict fines of up to hundreds of millions of dollars, but also in its legislative process, representing the culmination of six years of negotiations between states. members within the institutional framework of the EU. structure which includes the European Parliament, the European Council and the European Commission.
“That means increasing penalties not just for cybercriminals, as shadow Home Secretary Karen Andrews has suggested – because it won’t effectively deter bad actors, who will assume they won’t get caught anyway. – but actually for the companies that own, use and process all of our data,” he said.
“Our current limit of $2.2 million [in corporate penalties for breaches] is nothing compared to the maximum of 20 million euros set by the GDPR, or 4% of the company’s worldwide annual turnover. For many big tech companies, it’s still peanuts for them.
Learn more: Should you know (or care) how your data is being used before giving your consent?
Although adopted by the EU, GDPR is designed to apply regardless of jurisdiction, Song said.
This means that the GDPR has extraterritorial reach, so it obliges any country or organization outside the EU doing business in the EU (anyone “processing” or “controlling” EU data) to comply with GDPR obligations.
“While GDPR is not perfect, it still represents the current global standard for privacy protection and at the very least serves as the basis for the basis of information and data protection legislation,” said said Mr. Song.
Australia is reviewing the Privacy Legislation (Enhancing Online Privacy and Other Measures) Amendment Bill 2021 (Online Privacy Bill)which is largely based on the requirements and concepts found in the GDPR and the California Consumer Privacy Act of 2018.
“This bill has been in the works for some time, so news reports touting that new laws will be enacted in response to the Optus breach are only half correct. While the violation of Optus will undoubtedly prioritize the rush of the bill, these laws were already being reformed even before the incident,” Mr. Song said.
How would a GDPR-based law protect consumers?
Mr. Song said changes for businesses and consumers could include:
- Increased fines: In the EU, the maximum GDPR fine is €20 million or 4% of the company’s worldwide annual turnover. The bill before Parliament would increase the maximum penalty from $2.2 million to $10 million, three times the benefit of the fault, or 10% of the organization’s turnover during the period. 12 months prior to driving.
- Broader coverage for consumers: According to the bill, expanding the definition of “personal information” and “collection” would better correspond to the GDPR’s concept of “personal data”, or any data or information relating to an identified or identifiable person, rather than mere information “about” a person as currently defined.
- Improved consumer rights, including privacy: Under Article 17 of the GDPR, there is a right to erasure or rectification. The Australian privacy law does not currently give individuals the right to request the erasure of their personal information. The bill proposes a limited right to erasure which, when used, would require the destruction or anonymization of information so long as the information is not necessary to complete a transaction, a contractual obligation, where the deletion is impossible or when there is an interest in keeping the information.
- Consent protections for consumers and more “teeth” for regulators: Update the definition of consent to match the GDPR definition of being voluntary, informed, current, specific, and an unambiguous indication through clear actions. The new standard could also further empower the Office of the Information Commissioner (OAIC) to make new decisions or require entities to effectively “audit” their privacy practices and report their findings to the ‘OAIC.
Mr. Song said that in addition to the longer-term benefits for consumers, this suite of potential changes could have significant benefits for businesses.
“By harmonizing or adopting a GDPR-style framework, it could improve trade and collaboration between Australia and the EU, and significantly improve the prospects for finalizing the free trade agreement with the EU on which Australia is negotiating,” he said.
What are the potential ramifications of the breach for Optus?
Mr. Song said Optus faces three main ramifications: a regulatory enforcement response, civil litigation, including class action lawsuits, and the effect on Optus’ reputation.
“Firstly, as this is the second major data breach by Optus in recent years, they will be subject to further review by Australia’s Information Commissioner’s Office, the body regulator responsible for investigating privacy breaches in Australia.
“Under section 13G of the Privacy Act 1988 (Cth), an organization which seriously or repeatedly interferes with the privacy of one or more individuals may be subject to civil penalties of up to up to 2,000 penalty units or $2.2 million. Of course, the loss of customers, legal fees and additional expenses to upgrade their systems will also be very costly,” he said.
Mr Song said the second effect would be the risk of a range of civil cases, including class action lawsuits.
“Slater & Gordon are already preparing for one, allowing affected customers to register their interest on the website. Maurice Blackburn is currently pursuing its class action lawsuit against Optus for their earlier breach in 2020.
Read more: This law prohibits companies from collecting third-party data to profile you
“However, privacy in itself is a very high bar to set for damages, and for a class action to be brought, you need substantial losses to make the lawyers/lenders worth it.
“The current problem here is to identify any loss or damage,” Song said.
The third effect could in some respects be the most serious for the company – lasting damage to its reputation.
“Optus has lost the trust of its customers, in the case of some, forever. Trust takes years to build and seconds to destroy. Optus now faces a long and costly road to rebuilding that trust,” Mr. Song said.
The number of customers affected and the seriousness of the information disclosed made the situation “extremely serious”.
“Driver’s license and passport information is particularly serious given the risk of identity theft, and customers will not be satisfied that they are now exposed to potential costs related to identity theft” , did he declare.