‘Slow to change’: The shortcomings of Australian privacy law

By Sarah Morgan

Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all. (Robert Post, 2001)

The burgeoning digital and technology space in Australia is at once innovative and terrifying. Not only do applications routinely sell a user’s location data, companies are also anonymising other user information to sell at a profit to third parties. It’s not a new issue isolated to Australia; governments across the globe collect incredibly detailed data sets from their populations. With this increasingly complex and unregulated space, we are seeing a rise in spam emails and malware attacks across software systems and applications. These malware attacks in particular are aimed specifically at stealing personal information to use or sell.

Never was this more apparent than throughout the COVID-19 pandemic. The Australian government centralised its data collection through its various check-in applications. While the centralisation served an important government function, the ambiguity around the length of data storage or the possible repurposing of data was concerning. More concerning is that a decentralised approach does not seem any more secure. The risk of data mining is risky in a well-established technology monopoly like Apple or Google.

The Privacy Act 1988 (Cth) has gone through a number of changes in an attempt to secure the handling of personal information. An eligible data breach as defined in the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) occurs when there is unauthorised access or disclosure of personal information and whether this breach could result in serious harm to the individual. This amended legislation in particular was aimed at tackling data breaches where companies were required to notify a regulatory authority if a breach occurred. Individuals can then take necessary steps to rectify their loss. What is clear is that cyber-crime and data breaches are only getting worse and more frequent.

In November 2021, 500 employees, both current and former, of Nine Radio had personal information stolen as part of a hack of their payroll software provider Frontier Software. As part of the same ransomware hack, over 38,000 South Australian public servants had their personal information published online. The most recent Annual Cyber Threat report flagged that cyber-crime is not a rare occurrence. In the 2020-2021 period, there were over 67,500 reports to Australian cyber-security, which is alarmingly one report every 8 minutes. This is also a significant increase from the previous year which had just under 60,000 reports. The self-reported losses from that year total more than $33 billion.

In the digital and technology space, Australian legal systems have been slow to change in response to ongoing challenges, data breaches and cyber-crime. Australia needs a better solution in place to protect our personal information and privacy.