The Optus data breach in late September was the largest in Australia and involved about 10 million customers. It has raised important privacy concerns and led to questions about how personal data is managed by private and public entities.
Whether you like it or not, some form of your personal data is being stored on a computer somewhere. Even if you eschew using the internet for banking, or don’t use your mobile phone for browsing social media, just about every interaction with a website, company, organisation or government department involves data being collected.
The Optus data breach included personal identification documents, such as driver licences, Medicare numbers and passport information.
But personal data involves more than identity documents: it includes information collected on us by the digital panopticon as we go about our lives.
From trackers in web browsers to social media surveillance, as well as facial recognition systems that track us physically, companies are collecting data to build information profiles to make bigger profits.
Alternatively, the data is collected to sell on as a commodity in itself. This is known as surveillance capitalism and it is systemic.
The media’s attention is largely focused on personal data and privacy, but we need to examine what data is being collected, how it is being used and better systems to protect personal data.
The European Union’s (EU) data protection framework — the General Data Protection Regulation (GDPR) — puts the privacy rights of the individual upfront.
The GDPR is not without its own problems — it has been criticised by big tech and civil liberties groups — however its individual protections for citizens are light years ahead of Australia's.
One of the problems, as Matt Burgess from Wired noted in May, is that to be effective EU regulations need to be enforced and, compared to Big Tech, there are not enough staff and resources to do the job.
“Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding,” Burgess said.
Lawyer and Digital Privacy Watch chair Lizzie O’Shea pointed to the big and largely undiscussed problem.
“Governments are as addicted to surveillance as tech companies,” she said on October 11.
“Australia leads the pack in terms of the number of national security laws passed in response to 9/11; we are now close to 100 different pieces of anti-terror legislation.
“Many require companies to hold mountains of information (like the metadata retention regime) and then put this data at risk by, for example, weakening encryption (like the Access and Assistance Act).
“Privacy reform has a critically important role to play in addressing the problems created by surveillance capitalism because it strikes at the heart of the data extractivist business model,” O’Shea said.
“If we give people a meaningful right to privacy, platforms will have to find ways to make money other than through endless engagement (and the extremism it produces).
“It would also mean that companies would hold less data about us as individuals, which cannot be sold and on traded to other companies intent on manipulating us.”
The other problem is that technology adapts and changes so fast that the law struggles to keep pace.
Even before the Optus breach, a rwo-year review of the Privacy Act, which ended in January, had not yet released information. The Australian Information Industry Association is now calling on the federal government to release an exposure draft before the end of the year.
Protection for workers
Privacy and data collection is also a worker’s rights issue.
Australian Council of Trade Unions (ACTU) president Michele O’Neil said people needed to be able to “retain access, control and visibility” of their own data and “anyone collecting it should be held accountable for its security”.
“This is the standard that we should be able to expect in every sphere of life and it should be no different in the workplace,” she said on October 12.
An ACTU executive resolution pointed to “significant shortfalls in regulation and safeguards” regarding the use and protection of employee data by employers and outlined a few key principles that should govern employers’ use of workers’ data.
They included: employers being required protect workers’ data; workers having a right to access data collected about them, and for it to be rectified, blocked or erased; and workers and their unions to be consulted and agreement reached before the introduction of new systems which enable surveillance or monitoring of workers.
“The creep of data collection has continued unquestioned for years,” O’Neil said. “Employers are now commonly collecting extremely sensitive data with no restrictions on its use or storage, and no recourse for workers who may wish to access, amend or erase it … Data protection is critical to ensuring that working people are safe at work.”
While there is a need for a speedy government response — along with increasing penalties for data breaches and amending the Privacy Act to make data collection a liability rather than a commodity — there is the potential that approaching it as a corporate governance issue rather than a human rights issue could end up making things worse.
As O’Shea concluded: “A data breach of the significance of Optus should never happen again, and the best way to protect data is to not have it.
“By strengthening our privacy regime, and advocating for data minimalism, we are better protecting our digital security.”
O’Shea said the focus should shift “towards a discussion about the need to have robust protection of rights".
"If we treat people as holders of rights — rather than data points to be manipulated and exploited, or users that can have their dignity trampled in the race for profit — we create the capacity to build online spaces for people to flourish.”
[Sign the letter calling on Attorney General Mark Dreyfus to prioritise real privacy reforms.]