The federal government should urgently adopt measures like the European Union’s General Data Protection Regulation (GDPR) to protect Australians after the massive Optus data breach, said a UNSW Sydney law expert.

UNSW Law & Justice’s Tony Song, who is a Research Fellow for the NSW Law Society's Future of Law and Innovation (FLIP) research stream, said the serious data breach at Optus that exposed millions of Australians to fraud should spark a complete overhaul of the nation’s protections for consumers.

Australians this week were coming to understand the seriousness of the exposure of their personal data and the complexity of the steps they must now take to protect themselves against identity theft after the Optus breach.

The data of almost 10 million Australians were exposed, with 2.8 million people having important identity documents exposed including passports and driver's licences. 

What is the GDPR and why should Australia adopt it?

“I think our laws should at the very least be updated to match the EU’s GDPR, which has become something of the gold standard for data protection regulation,” Mr Song said. 

Described as the ‘toughest privacy and security law in the world’, the General Data Protection Regulation is a legal framework on data protection and privacy that was put into force by the European Union (EU) on 25 May 2018. 

Mr Song said the GDPR is considered a revolutionary law not just for its harsh and strict fines up to hundreds of millions in dollars, but also in its law-making process, representing the culmination of six years of negotiation between member states in the EU’s institutional structure that includes the European Parliament, European Council and European Commission.

“This means increasing the penalties not just for the cyber criminals, as suggested by Shadow Home Affairs Minister Karen Andrews – as this will not effectively deter bad actors, who will assume they will not get caught anyway – but actually for the companies that hold, use and process all our data,” he said.

“Our current $2.2 million limit [in corporate penalties for breaches] is nothing compared to the GDPR’s maximum of $20 million euros or 4 per cent of the firm’s worldwide annual revenue. For many large tech companies, that is still peanuts to them.”

Read more: Should you know (or care) how your data is being used before you consent?

While passed by the EU, the GDPR is designed to apply regardless of jurisdiction, Mr Song said.

This means the GDPR has extra-territorial scope, so that it requires any country or organisation outside the EU doing business in the EU (anyone ‘processing’ or ‘controlling’ EU data) to comply with GDPR obligations. 

“While the GDPR is not perfect, it still represents the current world standard for privacy protection, and at the very least serves as a base-layer foundation for information and data protection law to build up from,” Mr Song said.

Australia is in the process of reviewing the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which is significantly based on requirements and concepts found in the GDPR and the California Consumer Privacy Act of 2018

“This Bill has been in the pipeline for a while, so the news articles extolling that new laws will be enacted in response to the Optus breach are only half-correct. While the Optus breach will no doubt prioritise attention to rushing the Bill through, these laws were already in the process of being reformed even before the incident,” Mr Song said.

How would law based on the GDPR protect consumers? 

Mr Song said that changes for companies and consumers could include:

  • Increased fines: In the EU the GDPR’s maximum fine is $20 million euros or 4 per cent of the firm’s worldwide annual revenue. The Bill before Parliament would increase the maximum penalty from $2.2 million to either $10 million, three times the benefit of the misconduct, or, 10 per cent of the organisation’s turnover in the 12-month period up to the conduct.
  • Wider coverage for consumers: As per the Bill, expanding the definition of ‘personal information’ and ‘collection’ would better match the concept of the GDPR’s ‘personal data’, or any data or information relating to an identified or identifiable person, rather than just information ‘about’ a person as it is currently defined.
  • Improved rights for consumers, including privacy: Under Article 17 of the GDPR there is a right to erasure or rectification. The Australian Privacy Act does not currently provide a right for individuals to request erasure of their personal information. The Bill is proposing a limited right of erasure, which when used would require the destruction or de-identification of information so long as the information is not required to complete a transaction, contractual obligation, where deletion is impossible, or where there is a public interest in retaining the information.
  • Consent protections for consumers and more ‘teeth’ for regulators: Updating the definition of consent to match the GDPR’s definition of being voluntary, informed, current, specific and an unambiguous indication through clear actions. The new standard could also further empower the Office of the Information Commissioner (OAIC) with powers to make new determinations or compel entities to effectively ‘audit’ their privacy practices and report findings back to the OAIC.

Mr Song said that besides benefits for consumers in the longer term, this suite of potential changes could have significant benefits for companies. 

“By harmonising or adopting GDPR-style framework, it could improve trade and collaboration between Australia and the EU, and greatly improve the prospects of finalising the free-trade agreement with the EU that Australia is ... negotiating on,” he said.

What are the potential ramifications of the breach for Optus?

Mr Song said Optus faced three main ramifications: a regulatory enforcement response, civil litigation including class actions, and the effect on Optus' reputation.

“First, as this is the second large data breach by Optus in recent years, they will face additional scrutiny from the Office of the Australia Information Commissioner, the regulatory body responsible for investigating breaches of privacy in Australia.

“Under Section 13G of the Privacy Act 1988 (Cth) an organisation that seriously or repeatedly interferes with the privacy of an individual or individuals may be subject to civil penalties up to 2000 penalty units or $2.2 million. Of course, the loss of customers, legal costs, and additional expenditure on upgrading their systems will also be very costly,” he said.

Mr Song said the second effect would be the risk of a series of civil cases, including class actions.

“Slater & Gordon are already preparing for one, allowing affected customers to register their interest on the website. Maurice Blackburn is currently running their class action against Optus for their earlier breach in 2020.

Read more: This law makes it illegal for companies to collect third-party data to profile you

“However, privacy on its own is a very high bar to set for damages, and for a class action to be brought you need substantial losses so that it is worthwhile for the lawyers/funders to pursue.

“The present problem here is identifying any loss or damage,” Mr Song said.

The third effect could in some ways be the most serious for the company – lasting damage to its reputation. 

“Optus has lost the trust and confidence of its customers, in the case of some, forever. Trust takes years to build, and seconds to destroy. Optus now faces a long and expensive road ahead to rebuild that trust,” Mr Song said. 

The number of customers affected and the serious nature of the information leaked meant the situation was “extremely serious”.

“Driver licence information and passports are particularly serious given the risk of identity theft, and customers will not be happy that they are now exposed to any potential costs from identity fraud,” he said.