The Optus data breach in late September was and involved about 10 million customers. It has raised important privacy concerns and led to questions about how personal data is managed by private and public entities.
Whether you like it or not, some form of your personal data is being stored on a computer somewhere. Even if you eschew using the internet for banking, or don鈥檛 use your mobile phone for browsing social media, just about every interaction with a website, company, organisation or government department involves data being collected.
The Optus data breach included personal identification documents, such as driver licences, Medicare numbers and passport information.
But personal data involves more than identity documents: it includes information collected on us by the digital panopticon as we go about our lives.
From to surveillance, as well as that track us physically, companies are collecting data to build information profiles to make bigger profits.
Alternatively, the data is collected to sell on as a commodity in itself. This is known as and it is systemic.
Surveillance capitalism
The media鈥檚 attention is largely focused on personal data and privacy, but we need to examine what data is being collected, how it is being used and better systems to protect personal data.
The European Union鈥檚 (EU) data protection framework 鈥 the General Data Protection Regulation (GDPR) 鈥 puts the privacy rights of the individual upfront.
If you鈥檝e visited a website and a pop-up informs you of the site鈥檚 use of browser cookies with links to the site鈥檚 privacy policy, that is because the GDPR requires that of businesses dealing with EU citizens.
The GDPR is not without its own problems 鈥 it has been criticised by big tech and civil liberties groups 鈥 however its individual protections for citizens are light years ahead of Australia's.
One of the problems, as Matt Burgess from noted in May, is that to be effective EU regulations need to be enforced and, compared to Big Tech, there are not enough staff and resources to do the job.
鈥淪ince the went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding,鈥 Burgess said.
Lawyer and Digital Privacy Watch chair pointed to the big and largely undiscussed problem.
鈥淕overnments are as addicted to surveillance as tech companies,鈥 she said on October 11.
鈥淎ustralia leads the pack in terms of the number of national security laws passed in response to 9/11; we are now close to 100 different pieces of anti-terror legislation.
鈥淢any require companies to hold mountains of information (like the metadata retention regime) and then put this data at risk by, for example, weakening encryption (like the Access and Assistance Act).
鈥淧rivacy reform has a critically important role to play in addressing the problems created by surveillance capitalism because it strikes at the heart of the data extractivist business model,鈥 O鈥橲hea said.
鈥淚f we give people a meaningful right to privacy, platforms will have to find ways to make money other than through endless engagement (and the extremism it produces).
鈥淚t would also mean that companies would hold less data about us as individuals, which cannot be sold and on traded to other companies intent on manipulating us.鈥
The other problem is that technology adapts and changes so fast that the law struggles to keep pace.
Even before the Optus breach, a two-year review of the Privacy Act, which ended in January, had not yet released information. is now calling on the federal government to release an exposure draft before the end of the year.
Protection for workers
Privacy and data collection is also a worker鈥檚 rights issue.
聽president Michele O鈥橬eil said people needed to be able to 鈥渞etain access, control and visibility鈥 of their own data and 鈥渁nyone collecting it should be held accountable for its security鈥.
鈥淭his is the standard that we should be able to expect in every sphere of life and it should be no different in the workplace,鈥 she said on October 12.
An ACTU executive resolution pointed to 鈥渟ignificant shortfalls in regulation and safeguards鈥 regarding the use and protection of employee data by employers and outlined a few key principles that should govern employers鈥 use of workers鈥 data.
They included: employers being required protect workers鈥 data; workers having a right to access data collected about them, and for it to be rectified, blocked or erased; and workers and their unions to be consulted and agreement reached before the introduction of new systems which enable surveillance or monitoring of workers.
鈥淭he creep of data collection has continued unquestioned for years,鈥 O鈥橬eil said. 鈥淓mployers are now commonly collecting extremely sensitive data with no restrictions on its use or storage, and no recourse for workers who may wish to access, amend or erase it 鈥 Data protection is critical to ensuring that working people are safe at work.鈥
While there is a need for a speedy government response 鈥 along with increasing penalties for data breaches and amending the Privacy Act to make data collection a liability rather than a commodity 鈥 there is the potential that approaching it as a corporate governance issue rather than a human rights issue could end up making things worse.
As O鈥橲hea concluded: 鈥淎 data breach of the significance of Optus should never happen again, and the best way to protect data is to not have it.
鈥淏y strengthening our privacy regime, and advocating for data minimalism, we are better protecting our digital security.鈥
O鈥橲hea said the focus should shift 鈥渢owards a discussion about the need to have robust protection of rights".
"If we treat people as holders of rights 鈥 rather than data points to be manipulated and exploited, or users that can have their dignity trampled in the race for profit 鈥 we create the capacity to build online spaces for people to flourish.鈥
[Sign the letter calling on to prioritise real privacy reforms.]