Incidences of data breaches and hacking seem to have featured in the headlines more frequently than ever.
There was the Facebook ‘incident’ (well, two really) when the data of 87 million users were accessed by a third party to target voters in Donald Trump’s election campaign. Then, only a couple of months after the Cambridge Analytical scandal was exposed, the login details of 50 million Facebook users were compromised.
There were the 383 million Marriott customers that had their details, passport and credit card information leaked, 57 million Uber customers details were exposed, and 330 million users Twitter login details were compromised.
And that’s only the highlight real of 2018.
The sheer volume of data and privacy breaches every month highlights the global issue with cybersecurity. And despite the seriousness of these data breaches, what has been done about it? At worst, a congressional hearing and a £500,000 fine in Facebook’s case. But with the exception of fines that have been handed out under the European Union’s legislation, these privacy breaches have had very few legal repercussions for the parties involved.
Closer to home, the My Health Record opt-out period saw more than 1.1 million Australian’s withdraw from the database that aims to provide an “online summary of your health information” that “can be accessed at any time by you and your healthcare providers”, due to privacy concerns.
And you can be forgiven for being worried. After all, thousands of pages of ‘top secret’ and ‘classified’ government security documents were left in filing cabinets that were sold in a second-hand op shop…
All jokes aside, there is a serious lack of protective privacy legislation for data in Australia.
The Privacy Act 1988 and the Telecommunications Act 1997 have not been able to keep up with the evolving nature of technology, and as such, have a very limited scope of responsibility and power when it comes to legislating the protection of data privacy.
Although both of these Acts regulate the collection, use and disclosure of your personal information, they don’t actually protect your privacy in a broader sense. In fact, the only meaningful law reform to either of these Acts within the last few years has been the introduction of new data retention policies that actually require internet service providers to keep more your data for longer. In the two years that they are legally required to keep your data for, even more, vulnerabilities associated with your data will inevitably arise. Who is holding it and who can access it? If it is compromised who is responsible and what penalty will they receive?
Perhaps the even bigger issue than the shortcomings of The Privacy Act 1988 and the Telecommunications Act 1997, is the lack of real-time supervisions and accountability of law enforcement and national security agencies. Given the weak powers and scope of any supervisory regime, it is unlikely that this extensive wealth of personal metadata will be properly kept.
So, should the onus of our data privacy fall solely on companies? Companies that can potentially sell that data for millions of dollars? Or does any form of real and meaningful legislative reform need to be driven by the government? And if so, when?