Edward McCann | Cyber and Tech Fellow
A number of recent incidents have seen Australia’s privacy protections come under significant scrutiny. The compromise of the data of more than 9 million Medibank customers and over 10 million Optus customers have made the threat posed by malicious cyber actors very real for Australians. Both incidents are a good opportunity for a detailed review of Australia’s current regulations on the collection, storage, and use of personal data. Although effective regulation will always be reactive given the rapid pace of innovation, effective structural guardrails should be considered to ensure that new technologies can operate properly while specific governance is developed.
Another challenge to Australia’s existing privacy framework came in June when it was revealed that major retailers Bunnings, Kmart, and the Good Guys were employing facial recognition technology in stores to collect biometric data about their customers. These retailers claimed that this technology was employed as a means of preventing theft and to better protect their staff by identifying repeat offenders. While the use of facial recognition technology was advertised to customers in ‘conditions of entry’ signs, their policies about storage and future use of this biometric information were not included.
Following significant backlash and widespread media attention, the three retailers announced that they would cease using facial recognition technology. Furthermore, the Office of the Australian Information Commissioner announced in July that they would investigate whether the use of this technology violated existing privacy legislation and guidelines in Australia. The use of facial recognition technology is already controversial, with the then United Nations Human Rights Commissioner calling for a global moratorium on its use in September 2021.
Many Australian government agencies already use this technology for identity verification purposes, including by immigration and border security authorities. However, it is also true that facial recognition technology has been employed in Xinjiang as a means of surveilling and suppressing the Uyghur population. Human Rights Watch criticised the use of this technology in Russia as a means of identifying and tracking down protestors as well as those evading the draft. These examples as well as the concerns raised by the United Nations Human Rights Commissioner reinforces the need for modern privacy regulations that can adapt to new technologies.
This debate about the use of facial recognition technology has coincided with the recent spate of cyber attacks on Australian businesses. While these incidents have revealed critical weaknesses in security standards, they have also demonstrated the broader need for an updated approach to data and privacy standards. Following the Medibank breach, there were reports that a number of law firms were considering the possibility of launching a class action lawsuit on the basis that sections of the Privacy Act 1988 (Cth) were violated. While unclear whether this would succeed in court, the lack of immediate recourse reinforces the need for stronger and clearer obligations for businesses which use and store sensitive customer data.
In response, the Australian Government has recently taken a number of steps that strengthen existing protections. Legislation passed in October introduced new financial penalties for companies which are found to have acted negligently in the protection of customer data. Changes such as this are an effective, low cost, and quick means of mitigating risk by requiring businesses spend the resources necessary to uplift their cyber security posture. Home Affairs Minister O’Neil has signalled that the current review of Australia’s National Security Strategy will likely see significant changes to existing policies and result in greater government spending on cyber and data security.
While the specific details of these policy changes have not been released, they are likely to be significant given the recent attention on cyber security.
Until then, the priority should be identifying and strengthening sectors of the economy that interact with customer data, have limited existing cyber security oversight, and which are vulnerable to attacks. A good example of this approach is the recent proposal by NSW Minister for Customer Service Victor Dominello to launch a comprehensive review of what information is currently required for a rental application, how this is collected, and what level of security is used to protect this information. A simple policy change such as this would effectively mitigate the risk and severity of cyber incidents by reducing the quantity and quality of data for a potential attacker.
The fervor surrounding the use of facial recognition technology in Australia reinforces the need for greater clarity about how data collected by businesses, how long it is held for, and who has access to it. These concerns were only heightened by recent cyber incidents, which made a once abstract threat very real to millions of Australians. Importantly it demonstrated how malicious actors can exploit data collected by businesses. Given the unpredictable nature of technological development, governments should instead attempt to strengthen data protections. Although there is no simple fix to cyber threats, risk can be reduced by minimising the amount of sensitive customer data that businesses can access, use, and store.