Introduction
Personal data breaches have become a crucial cybersecurity issue in the Asia-Pacific region, including Australia. In contrast to the European Union’s General Data Protection Regulation (GDPR), the Australian government implements the so-called “Australian Privacy Principles,” or the APPs formulated in the Privacy Act of 1988. This essay will review some data breach incidents affecting Australian citizens and potential challenges surrounding data breach prevention and investigation.
Recent Data Breach Cases Affecting Australian Users and Law Enforcement
Law Enforcement: Current Data Privacy Law in Australia
The APPs are greatly different from the GDPR in terms of terminology and applicability. Specifically, Australian privacy law does not consider HTTP cookies used to send targeted ads and other online identifiers as personal data items. The APPs include data management rules peculiar to thirteen areas, ranging from personal information quality to the rules for cross-border information disclosure. Nevertheless, unlike the GDPR, there are no provisions to specify data controllers’ roles and responsibilities. The limits to applicability also vary between the laws, with the GDPR applying to any individual/entity providing services or monitoring the EU citizens’ online behaviors. In contrast, the apps are applicable to specific entities, including governmental agencies, Australia-based businesses with turnovers exceeding $3 million, and businesses with lower turnover levels that use personal data for service provision. Therefore, the GDPR might offer stronger data protection conditions compared to Australia’s privacy law.
International Cases
Personal data breach incidents affecting Australian individuals and business users have become increasingly common, pointing to the need for law enforcement efforts and designing new statutory causes of action to deal with serious invasions of Australian citizens’ privacy. In June 2021, news sources reported that the personal data of more than 700 million LinkedIn users, including Australians, had been listed for sale on the dark web for $5,000. Despite not including the users’ online banking credentials, the exposed data contained name/address, contact information, professional background/career data, and connected social media accounts, thus providing enough detail to purport to be another person or make hoax calls. LinkedIn explained the incident as a data scraping case in which online bots cataloged the users’ available information. Regardless of the actual risks for such services’ users in Australia and other locations, it is the reuse of IDs and passwords that can facilitate online attacks, hoaxes, and criminal identity thefts. With that in mind, aside from further international breach prevention efforts, promoting a security culture among common users is crucial.
Regional Data Breaches
In Australia, personal data breach incidents have been affecting diverse structures, ranging from online services to the country’s online political infrastructure. In spring 2019, Canva, a Sydney-based service that offers free and fee-based access to design software, experienced a massive data breach in which the personal data of more than 130 million users, including names, personal e-mail addresses, location data, incomplete payment details, and encrypted personal passwords, was stolen. Gnosticplayers, the anonymous hacker or a criminal group, connected with ZDNet, a news media source in business technology, to brag about the crime, which looked as if they were pouring ridicule on Australia’s cyber security centers. In another region-specific case in November 2018, there was a cyberattack on the Australian National University, resulting in the stealing of rather sensitive records of 200,000 students, including contact and bank account information, payroll and academic progress data, and tax file number (TFN) details. Despite news coverage, the breaches did not spur data privacy legislation improvement decisions from the government.
The data privacy issue at the level of the political system is also evident. In 2019, there was an attack on the Australian Parliament House’s websites. Despite insignificant data losses, the fact that even influential politicians’ sensitive information has imperfect protection could lead to unfavorable conclusions about common users’ data privacy perspectives. In an attack preceding these events, some users of the parliamentary system’s website were temporarily banned from accessing their private e-mail accounts through the system. Based on this case, a few law enforcement deficiencies might be contributing to data breaches at the governmental level, including politicians’ insufficient adherence to the cyber hygiene course schedule. Therefore, the absence of mechanisms to control proactive data protection education and users’ course attendance could be a point of concern for Australia.
As a reaction to these and less recent data privacy incidents, there have been attempts to make Australia’s privacy law stricter to further strengthen the crime prevention potential of the APPs. In particular, two years ago, Bird & Bird, an international law service, recommended a series of legislative changes, such as redefining personal information in the law, facilitating the erasure of personal data, and strengthening user consent requirements and penalties for failure to comply with the act. Australia’s law reform commissions proposed a statutory tort for privacy invasion eight and fourteen years ago, but it has not been accepted in any form yet. Despite these proposals, law enforcement change linked with online data privacy has taken a different direction, which has implications for free speech and producing fabricated evidence. Using the recently adopted Surveillance Legislation Amendment Bill, Australian police are now allowed to access, copy, erase, and modify information during the investigations of online crimes. This creates extra risks for wrongly accused individuals and third parties who are not suspects.
Conclusion
Finally, Australia’s current data privacy legislation may seem less strict and consumer-oriented compared to the GDPR, which could have implications for law enforcement. Data breach cases affecting Australian users of online services, including governmental websites, are not rare. However, the government’s reaction to strategic reform proposals is mostly limited by new permissions for online crime investigators that might create opportunities for free speech violations via a data disruption warrant.