As the Australian government begins to update the Privacy Act, researchers and advocates are calling for improved consumer rights and protections against data breaches, scams and data-driven targeting.

An open letter featuring more than 20 signatories, such as Choice, Human Rights Watch and several university research organisations, urged the government to enact urgent reforms to outdated privacy legislation.

“We know all too well the harm that inadequate privacy protections cause,” Choice senior campaigns and policy adviser Rafi Alam said.

“Gambling companies hound at-risk people with targeted advertising, data brokers sell our information without consent, and automated systems discriminate against marginalised people. We’ve also seen millions of consumers harmed by data breaches when businesses store too much personal information.

“To ensure the Privacy Act is fit for purpose in a rapidly changing digital environment, we are calling on the federal government to urgently implement a number of recommendations to protect the safety, security and integrity of our personal information.”

The recommended changes outlined in the open letter include:

• Modernise how “personal information” is defined so more of our data is protected
• Ensure businesses only collect and keep the data we want to share by establishing a “fair and reasonable use test”
• Entrust our regulators with the resources and powers needed to enforce the law
• Apply the Privacy Act to all businesses, regardless of size
• Introduce clear rules and guardrails for high-risk technologies that significantly affect human rights, such as facial recognition technology.

Consumers forced to protect themselves

In September, the government committed to introducing legislation in 2024 to protect Australians’ personal information in response to a review of the Privacy Act.

Chandni Gupta, Consumer Policy Research Centre (CPRC) deputy CEO and digital policy director, said Australia’s privacy laws are no longer fit for purpose in the modern world.

“Currently, our Privacy Act dates back to the ’80s. It pre-dates the digital economy as we know it today, and also pre-dates the internet,” she said.

“A lot of the onus is on consumers and individuals to navigate the privacy protections and to protect themselves. What we really need to see is the onus being shifted on businesses.

“At the moment, there are really no clear guardrails [for] businesses on how they collect, share and use our data.”

CPRC research shows while 84 per cent of Australians agree companies should be responsible for keeping data safe, just 15 per cent feel businesses are doing enough to protect their privacy.

Gupta said these results display a mismatch between what Australians expect and what privacy protections are offering them.

Anything you do and any information you provide can be tracked online; data can range from your location, to what device you are browsing the internet on, to specific personal information you store in apps or online.

“Because privacy policies can go up to anywhere, [even] up to 90,000 words, people aren’t reading them,” Gupta said.

“And they’re written in a legal way, you have no idea what you’re signing up for, how much data that you might be putting into an app or a service that you’re using, and how that’s being used and then shared to potentially the highest bidder.”

Dangers of data trading

Vanessa Teague, Thinking Cybersecurity CEO and Australian National University adjunct associate professor in computer science, described the state of data trading between companies as “disastrous”.

She said all companies have to do is ‘hash’ your data (a process which converts data such as text, numbers or files into a string of letters and numbers), and tell the Privacy Commissioner that the data has been “de-identified”.

There’s then a perception the data is not covered under the Privacy Act.

But your various interactions across the internet can be linked, and the data can still “very easily” be matched to you.

“That is commonplace, and in fact, it’s probably happened to you 100 times already today,” Teague said.

As your data profile grows, it can include everything from your health issues to financial situation, depending on the services you’ve accessed and the information you’ve handed over.

The more information about you is available, the more effectively it can be used to manipulate you through commercial advertising, and even “malicious” political misinformation campaigns or scams.

Teague said this is why it’s important the definition of ‘personal information’ is updated in the Privacy Act.

The government has agreed in principle that the Privacy Act needs to expand the concept of personal information.

But Teague said the commitment is not precise enough to inspire confidence the definition will be strengthened sufficiently to prevent the trading of data for advertising and other purposes.