Skip to main content
News Analysis 10 Oct 2022 - 7 min read

‘Forget brands, parents are talking about it’: Optus data fallout set to hit marketing, tech, media as feds toughen stance on privacy review, personal information, consent

By Sam Buckingham-Jones & Paul McIntyre
Optus and privacy laws

“There is a lot of regulation to worry about in this country... Privacy has not been on the first page, let alone the top 10," Clyde & Co's Alec Christie says.

The Optus data breach of nearly 10 million customer records could trigger the toughest privacy law reforms in 35 years, warn experts across the marketing, legal, CX, martech, media, consulting and adtech sectors. It could mean widespread change and cost increases for companies to identify and acquire new customers and reskill their legal, digital, e-comm, retail, marketing, CX, tech stack and regulatory teams.

What you need to know:

  • The Optus data hack, in which millions of Australian consumer details were exposed, will likely fuel more aggressive privacy law changes than were initially slated under the current privacy review by the Federal Attorney General, privacy experts warn. 
  • The first and early wave of policy and regulatory action, possibly by Christmas, triggered by the Optus hack likely to focus on cyber security standards, what and how long certain datasets should be stored and increased fines for breaches.
  • More explicit “delete data” controls and limits on what data can be collected are on the table. The premise, says Clyde & Co Partner Alec Christie, is “if you don’t collect 10 items of data, but only five, whatever happens it’s going to be half as much”. 
  • The second wave, says industry observers, will likely be a harder line on personal data capture and its primary and secondary use – affecting every company big or small. 
  • If there was industry hope under the current Privacy Act review for some leniency in collecting and using personal data for the likes of geo-location and device ID tracking, and less strident rules for gaining consumer consent, it is fading. 
  • Current laws for gaining consent for personal data are under scrutiny. 
  • Per Raj Kumar, CEO of martech and CX advisory firm The Lumery, which works with blue chips like Qantas, REA Group, Network Ten and nib, says the Optus fallout will “force policymakers to act faster and harder than they were going to before.”
  • Salinger Privacy’s Anna Johnston says marketers could be making their business data practices worse by collecting more data for advertising purposes. Lowering the amount of data lowers the risk profile. 
  • The government says it could introduce new privacy reforms, off the back of a multiyear engagement process, before the end of the year.

Forget brands, parents are talking about it. Consumer expectations will force the government to act much faster and tougher than before Optus

Raj Kumar, CEO, The Lumery

 

$10m penalties

The Optus data hack has likely sharpened the government’s approach to reforming Australia’s privacy laws in coming months, with challenging implications for marketers and the data they want to collect and use. 

The last time the federal government recast privacy laws was 1988. Attorney General Mark Dreyfus is overseeing a current review of that legislation which, before the ‘Optus incident’, was already expected to tighten rules governing personal data collection and use. But the political, policy and regulatory mood has shifted gears after Optus and experts say the government’s appetite for tighter restrictions on capturing, analysing and trading Personal Identifiable Information (PII) – central to the digital and data economy - is biting. 

Raj Kumar, CEO of martech and CX advisory firm The Lumery, which works with blue chips like Qantas, REA Group, Network Ten and nib, says the Optus fallout will “force policymakers to act quicker and harder than they were going to before. Consumer expectation will force government to go harder and faster because now it's firmly in the public eye,” says Kumar. “Everyday Joe now sees the impact of the lack of data privacy laws and regulations, they're facing it. So that expectation is going to force policymakers to act quicker and I think harder than they were going to act before. Forget brands. Parents are talking about it. Everyone's been waiting for something like this to happen. It was just bound to happen because no one's moving fast enough, right. It's unfortunate. My data has been affected. I'm one of those Optus customers.” 

Privacy experts say key rules governing personal information and how long to hold onto data are more likely to be strengthened after one of the biggest cybersecurity breaches in Australian corporate history. 

The unravelling

“I think there are areas that weren't even on the table that will now be tackled,” Alec Christie, a Clyde & Co Partner specialising in information technology and privacy, said.

Most who spoke with Mi3 concurred. “I think we are going to see a tightening of privacy and cybersecurity laws following the Optus incident,” says Josh Faulks, the newly-installed CEO of the Australian Association of National Advertisers (AANA) and one-time advisor to former Attorney General George Brandis. Faulks was most recently lead on KPMG’s Reputation practice.

Media Federation CEO Sophie Madden is expecting a similar clampdown. “The government’s response to the Optus data breach indicates a strong resolve to tighten our privacy regulation framework and to do this at pace,” she says. “The Attorney General has flagged urgent reforms, new regulations by Christmas and to complete the privacy law review before the end of the year. It highlights the need to ensure privacy laws protect consumers and give them trust and confidence in the digital economy.”

ADMA's Head of Regulatory and Advocacy, Sarla Fernando, said penalties "may be a little stronger" after an intensive two-year reform process but that businesses were now taking privacy way more seriously. 

Gai Le Roy from IAB Australia noted the breach put a spotlight on data security, and that “the goal of the privacy law review should be to ensure the suite of laws we have in place enable people to confidently engage in the digital economy.”

Strangely, agency groups and their parent holding companies appear to have avoided making submissions to the AG’s privacy review process, despite significant dependency and use of data trading. Of the five major global groups, WPP, Omnicom and IPG confirmed to Mi3 at the time of publishing they had not made any submissions. Publicis and Dentsu were still checking. Update: Publicis has confirmed it did not make a submission to the Attorney General's Privacy Review. All up, about 206 published submissions were made to the Attorney General by the deadline in January. Industry bodies including the AANA, IAB, Free TV, Commercial Radio Australia and ADMA made submissions but the Media Federation and Advertising Council didn't. Consulting groups KPMG and Deloitte both made submissions.   

The details of almost 10 million customers were exposed, 2.1m of whom had a form of ID attached – including 150,000 passports and 50,000 Medicare cards.

The breach came just as the government is preparing a report responding to hundreds of submissions about what it should do to update Australia’s privacy laws. It has already flagged passing a bill drafted under the previous government that would increase the penalties for data breaches to up to $10 million or 10 per cent of annual turnover.

Deadline: Year's end

Attorney-General Mark Dreyfus said he may bring reforms in “before the end of the year” to “try and both toughen penalties and make companies think harder about why they are storing the personal data of Australians”.  

The cornerstone of the country's privacy laws are the 13 Australian privacy principles, or APPs, that cover any organisation with more than $3m in annual turnover. That $3m threshold is known as the small business exemption. The Privacy Act is governed by the Office of the Australian Information Commissioner (OAIC).

Christie said the Optus breach showed the gaps in both how privacy laws are written and enforced – or not.

“There is a lot of regulation to worry about in this country. We are overregulated. Privacy has not been on the first page, let alone the top 10. But now with the increase of fines, if the privacy commissioner gets more resources, we tweak some definitions to make it clear there's no wriggle room – all those things may help,” he said.

“Fundamentally, and I hate to say this, but it's things like this breach which really do the most in terms of pushing along the attitude.”

Companies like Optus shouldn’t hold onto sensitive personal information like passport, Medicare and driver’s license numbers, Salinger Privacy principal Anna Johnston said. Johnston, a former Deputy Privacy Commissioner for NSW, believes there’s “wiggle room” in the privacy principles that mean companies keep data longer than they need it. “There are a lot of bad practices, not just with telcos. Lots of overcollection of evidence of identity documents,” she said.

“This data breach has shown the vulnerability of we the population if these docs and numbers are not secured properly. The easiest way to secure is to not have them.” 

Chris Brinkworth is the Managing Parter of Civic Data, a martech and data consultancy. "Understanding what data you are collecting... is under massive scrutiny now," he said. "Whether you are at fault or not, the cost of a breach extends way beyond a fine. The reputation costs and brand costs of poor data governance are beyond comprehension."

We've had a lot of clients, marketing groups, who say, 'yeah, but for marketing, I'd also love to know where they live. I'd love to know how much they earn’. Or ‘I'd love to know whether they're male or female or gay or not, gay or homophobic or not’. ... Marketers would say, well, we need everything because it's like human resources, anything could happen – but that's not what the privacy law says.

Alec Christie, Partner, Clyde & Co

‘Now will be tackled’

Specifically, elements of APP 3, which covers when organisations can collect personal information, and APP 11, which covers the security of personal information, are much more likely to be strengthened by the government than they were a few weeks ago. APP 3 includes APP 3.6, which has been described as the “forgotten privacy principle” by academics but has the potential to upend the data enrichment industry. APP 11 includes two clauses governing security (11.1) and the destruction (11.2) of data.

“I think [the government] will miss a chance if they don't focus on APP 3 to make it very clear what you can collect. They will start at the beginning on the premise that if you don't collect 10 items of data, but only five, whatever happens later is going to be half as much,” Christie said.

Christie and Johnston disagree about how long companies can legally keep data under APP 11.2. Johnston says organisations can keep data for “as long as you have a legitimate need for it”, while Christie thinks there is an obligation to delete it after it’s used.

“You've got two people who've practiced in this area for a very long time, probably with hopefully both of us with above average knowledge of this area, and we disagree,” Christie said.

Marketers should question data

The Optus breach should prompt CMOs and marketers to reflect on the data they use – which could make the risk of a similar hack much worse. Data has to be relevant to the core function of the business.

“We've had a lot of clients, marketing groups, who say, 'yeah, but for marketing, I'd also love to know where they live. I'd love to know how much they earn’. Or ‘I'd love to know whether they're male or female or gay or not, gay or homophobic or not’. So yeah, that's the marketing lens,” Christie said.

“But what they've got to do in terms of the collection is to understand from a business point of view, is it necessary to run our activities and functions and, if not, we probably shouldn't have it… Marketers would say, well, we need everything because it's like human resources, anything could happen – but that's not what the privacy law says.”

Johnston made a similar point – having less data is the best way to avoid a large-scale breach that impacts a lot of people. Marketers, and the broader C-suite, need to think about data security as more than a box to tick. “My main message is not to think that your cybersecurity teams are the start and end of your defences. Data security starts with product development teams,” she said.

“If there’s nothing to steal, you’re lowering your risk profile – by also being privacy protective.”

Privacy ‘theatre’

The government has made a few tinkering changes to data sharing laws since the breach to allow telcos to share identifiers with financial institutions. That won’t work, Johnston says, and risks entering knee-jerk response territory. For one, it means splashing personal data around banks, organisations like buy-now-pay-later apps and others that require identity documents. It means more organisations have bigger stores of more sensitive data – the “honeypot” problem.

Likewise, she added in a recent piece, other suggested responses are half-baked. A simple ‘right to erasure’ is impractical, more consent and choice is too much homework for consumers, a rule keeping data on Australian shores is ‘next to useless in reality’ and the idea of criminalising re-identification of data could have dramatic unintended consequences.

Larger fines, which are imminent, would likely not have stopped the Optus breach from happening, Brinkworth said. But there are "bad actors" that roll the dice and believe the rewards outweigh the risks and fines. Higher fines may thwart that. 

Johnston wrote down eight reforms that would help, including changing the $3m threshold. Small financial companies can do a lot of damage with low turnover, she said: “There’s a big difference between a hairdresser and a fintech platform… A one-person business can design an app to collect oodles and oodles of info on people.”

Likewise, it will be necessary to vastly increase the “shamefully under-funded” OAIC’s resources. “The regulator needs teeth. And to have teeth, regulators need big budgets,” she said.

Despite the coverage and notices from other companies that their data security is strong, few people in the privacy space want to openly criticise Optus, which had previously seen as being a good, collaborative operator.

“If it can happen to Optus it can happen to just about anyone,” she said, adding that most players feel that: “There but for the grace of God go I.”

What do you think?

Search Mi3 Articles