Australia’s moves to protect data privacy fall short

Samantha Floreani is the programme lead at Digital Rights Watch.

After decades of stagnation, Australia is finally taking steps to bring its privacy legislation into the modern digital era.

Aside from a handful of small amendments, the Australian Privacy Act has been largely untouched since it was first drafted in 1988. The data-driven economy and nature of digital technologies have changed a lot since then, and Australians have been left without robust protections, or meaningful enforcement by the chronically under-funded privacy regulator.

All of this is set to change in the wake of possibly the largest data breach in Australia’s history. Last month, one of Australia’s most popular telecommunications providers, Optus, had a major data breach. It threatened to compromise the personal information of approximately 9 million people. Within weeks, there was news of other major breaches, including at one of the largest private health insurers, and a major real estate agent.

So after years of dragging their feet, Australian politicians sat up and started paying attention to privacy. One month after news broke of the Optus data breach, a Bill was introduced to Parliament to make changes to the Privacy Act.

However, instead of substantive changes, this Bill mostly just increases the penalties for privacy infringements under the existing Act. Currently the maximum fine for a serious or repeated infringement under the Act is capped at A$2.2 million ($1.5 million). The Bill proposes increasing the possible penalty to whatever is greater of $50 million, three times the value of the benefit obtained, or 30% of the turnover for the relevant period.

By way of comparison, the penalty cap under the European Union’s General Data Protection Regulation (GDPR) is set at 20 million euros ($21 million).

At first glance this makes it appear that Australia is proposing a more stringent approach to privacy regulation than the EU, but in reality that is not the case. While the maximum possible penalty may become greater in Australia, the substantive data protection obligations under the Privacy Act are not addressed by this Bill and remain woefully behind. Seeking to penalise those skirting privacy requirements is important, but the impact will ultimately be limited if the underlying requirements themselves remain weak, unclear, and unenforced.

Notably, not a single penalty has been imposed under the Privacy Act since the provision came into effect in 2014. The regulator has only sought a penalty in one case, which was against Facebook in relation to the Cambridge Analytica scandal and over two years later, it is still not settled. So there is little to reassure Australians that the increased penalties will be anything more than hypothetical.

For privacy protections to be meaningful in Australia, we need to close the gaps and exemptions, expand and clarify definitions, and impose stricter limits on the collection, use and retention of personal information. The Bill achieves none of this.

These changes may not sound as cool as bigger fines, but without them Australians will remain vulnerable to the harms caused by the data-extractive economy. The current culture of data gluttony won't be addressed by a bigger stick alone.

The Bill also offers no pathway for recourse for those whose privacy has been violated. For years, privacy experts have been calling to allow individuals to seek redress without having to wait for a regulator to act. This would enable everyday people to take their right to privacy into their own hands.

Punishing organisations with larger fines after the fact may act as a deterrent in the future, but it does nothing to assist individuals when they need it most, nor does it restore their privacy once it has been lost.

This Bill is a welcome first step, but on its own it does not go nearly far enough. The Australian government has signalled that further changes are on the horizon, however there is no guarantee they will be strong enough to take on the challenges of the modern digital economy, especially in the face of vested interests actively pushing to weaken reforms.

Without meaningful reform to the rest of the Privacy Act, and in the absence of proper funding to the regulator, this Bill is not going to offer everyday people in Australia the kind of privacy protection needed in the digital age.