Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data

In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Optus has repeatedly opposed a proposed change to privacy laws that would give customers the right to request their data be destroyed, with the telco arguing there were “significant hurdles” to implementing such a system and it would come at “significant cost”.

On Thursday, the company revealed it had suffered a massive cyber-attack in which the personal information of customers was stolen, including names, dates of birth, phone numbers, email addresses, addresses, and passport and driver’s licence numbers.

Optus began contacting customers whose personal information was compromised in the breach via email and SMS on Friday. It said customers as far back as 2017 may be affected because it is required to keep identity verification records for six years.

The incident has raised questions about how long telcos should be required to keep the data, what obligations they have to protect it and what compensation customers should be entitled to in the case of failures.

Personal information is protected by the federal Privacy Act. In a review of the act launched by the Morrison government in 2020, the attorney general’s department canvassed views on whether people should be given the right to have their personal information erased, as well as increased rights to take direct legal action against companies over breaches.

Optus argued against both changes.

The company said in its submission that implementing a right to erase personal data would involve “significant technical hurdles”, and “significant” compliance costs. The costs would far outweigh the benefits, the company said.

Optus first argued in its 2020 submission that giving consumers the power to take direct legal action over privacy breaches could lead to frivolous or vexatious claims, and would not give people greater control over their personal information.

Any substantial changes to the act would “place a further drag on innovation and limit the benefits of digitisation,” the company said.

In an October 2021 discussion paper, the attorney general’s department formally proposed a direct right to action that would allow customers to seek compensatory damages as well as aggravated and exemplary damages.

In its response in January this year, Optus reiterated its opposition to the proposals, arguing the existing processes for consumer complaints were more “flexible”.

Guardian Australia has asked Optus if it stands by the submissions.

The attorney general, Mark Dreyfus, has indicated his department is in the “final stages” of its review of the Privacy Act.


Josh Taylor

The GuardianTramp

Related Content

Article image
Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft
Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Royce Kurmelovs

23, Sep, 2022 @10:12 AM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
Guardian Essential poll: one in two Australians want stronger privacy laws after Optus breach
Survey finds 51% of respondents support restrictions on amount of data private companies can collect and 47% are worried about governments harvesting personal information

Katharine Murphy Political editor

03, Oct, 2022 @4:30 PM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Push to scrap Australia privacy exemptions for political parties due to risk of data breaches
Digital Rights Watch says cyber-attacks on political parties in 2019 narrowly avoided a breach that would have caused ‘unimaginable damage’

Sarah Martin

10, Oct, 2022 @4:30 PM

Article image
Optus reveals at least 2.1 million ID numbers exposed in massive data breach
Telco says 150,000 passport and 50,000 Medicare numbers have been stolen as it announces independent review

Josh Taylor

03, Oct, 2022 @3:50 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle
Government says telecommunications giant ‘left the window open’ for unsophisticated attack that could lead to European-style privacy laws

Tory Shepherd

30, Sep, 2022 @8:00 PM

Article image
Singtel confirms 2020 data breach after cyber-attack on Optus
Parent company of Australian telco says that the personal data of 129,000 customers and 23 businesses was obtained in a cyber-attack two years ago

Josh Taylor

10, Oct, 2022 @3:00 AM