
Giving Australians the right to force companies to delete their personal data could be a significant step in combating the increasing threat of mass data theft, according to cybersecurity experts. This comes in the wake of recent cyber attacks affecting more than 25 million customer accounts across major companies like Qantas, Optus, and Medibank.
University of Queensland cybersecurity expert Ryan Ko warns that the risk of Australians falling victim to cybercrimes such as identity fraud or extortion is “increasing by the day.” He emphasizes the uncertainty surrounding how leaked information might be used, describing individuals as “sitting ducks” in the face of these threats.
The Growing Threat of Cybercrime
Despite Australia being ranked as the world’s leading state in cyber defense by a Harvard University report in September 2022, the country has witnessed a series of high-profile data breaches. In the same month, hackers accessed sensitive data from 9.8 million Optus customers, including names, birth dates, and, in some cases, home addresses and passport numbers. This breach forced the Queensland government to replace over 178,000 driver licenses.
The following month, Medibank fell victim to a ransomware attack, with hackers threatening to release the medical records of 9.7 million people on the dark web. The attackers exploited Medibank’s inadequate safeguards, such as the lack of multi-factor authentication, and ignored warnings from consultants about system vulnerabilities.
Corporate Accountability and Legal Challenges
The 2022 breaches exposed data from both current and former customers of Optus and Medibank. In response, Qantas attempted to learn from these incidents by deleting outdated customer data. However, last month, the airline suffered another attack via its call center in the Philippines, exposing details of 5.7 million current Frequent Flyer customers.
Corporate accountability in Australia, particularly regarding compensation for data breaches, is often a protracted process. The Office of the Australian Information Commissioner (OIAC) is still investigating the Optus breach nearly three years later, while the Australian Communications and Media Authority has ongoing legal proceedings against Optus in the Federal Court. Similar actions against Medibank are also pending.
Proposed Reforms and the Right to Erasure
In response to these challenges, privacy experts are advocating for a “right to erasure,” which would allow individuals to compel companies to disclose, delete, or de-identify their personal information. This concept, already in place in Europe since 2018, is supported by 90% of Australians, according to a 2023 survey by the OIAC.
Technology lawyer James North, who leads the technology practice at Corrs Chambers Westgarth, argues that giving people more control over their data could mitigate the fallout from data breaches. He highlights the importance of data minimization and the need for companies to delete unnecessary information to prevent breaches and subsequent legal actions.
“Data minimization, not collecting data that’s not required for identity checks, and ensuring that companies delete information when it’s no longer needed is much better than having a breach and then a class action,” North states.
Reducing Cybercrime Incentives
Professor Ko supports the reform, suggesting it would allow individuals to hold companies accountable and reduce the likelihood of organizations becoming “honey pots for cybercriminals.” He believes that implementing the right to erasure within organizations is technically feasible and would encourage better communication with customers regarding data usage and retention policies.
Government Response and Future Steps
The Albanese government has agreed “in-principle” to the reform, with exceptions for public interest, law enforcement, and national security. A spokesperson for Federal Attorney-General Michelle Rowland acknowledges the significant impact of data breaches and the government’s commitment to protecting Australians’ privacy. However, the timeline for introducing these reforms remains unclear.
The government is taking a cautious approach to balance protecting personal information with allowing its use for societal and economic benefits. As the spokesperson notes, “This is a complex policy area engaging a wide range of stakeholders with diverse perspectives and interests.”
As Australia grapples with the implications of widespread data breaches, the push for stronger data protection measures, including the right to erasure, continues to gain momentum. The outcome of this debate will likely shape the country’s approach to cybersecurity and data privacy in the coming years.