The federal government will make significant changes to how personal data is protected in Australia after a review of the Privacy Act found current laws are unfit for the digital age.

The Attorney-General’s office accepted 38 of the 116 recommendations and another 68 in principle, paving the way for Australians to be able to sue for serious breaches of privacy and forcing small businesses to comply with privacy laws once the recommendations are implemented.

It comes amid major concerns over the privacy of data Australian drivers share with their car manufacturers, including Kia, Hyundai, Toyota and Ford.

David Vaile, who leads the privacy and surveillance stream at the University of New South Wales’ Allens Hub for Technology, said Australians currently have fewer protections than overseas jurisdictions, where companies have been successfully sued for serious data breaches.

“This is something that has been recommended for 30 years by five different law reform reviews,” he said.

“There’s no reason why Australians should be almost the only people in developed countries that can’t do this.”

A serious concern

Data security is a serious concern for Australians, with 62 per cent of people surveyed by the Office of the Australian Information Commissioner reporting they see the protection of their personal information as a major concern, and 89 per cent believing people should be able to seek compensation for a breach of privacy.

Vaile said when it comes to identity theft, any leaked information compounds with other data already available to malicious actors.

“People are not aware of how low-grade and fragmented information can be and still be used for direct ID theft,” he said.

“There have been data breaches that are never discovered, and a lot of ones that are discovered but never reported.”

Currently, there is “no recourse for Australians whose privacy is invaded in circumstances which fall outside the scope of the [Privacy] Act,” according to the government’s response to the review, and the government plans to consult on giving individuals the power to sue if:

• There is a serious invasion of privacy
• The person had a reasonable expectation of privacy
• The invasion was committed intentionally or recklessly
• The public interest in privacy outweighs any countervailing public interest.

Attorney-General Mark Dreyfus’s office accepted a large number of the recommendations made by the review. Photo: AAP

Other recommendations from the review that have been accepted include creating a criminal offence for people who intentionally re-identify or de-identify information to harm another person, introducing greater protections for children, and making companies inform a commissioner of data breaches within 72 hours.

Increased data collection

Last month, Mozilla’s Privacy Not Included report revealed the sophisticated and extensive data that car companies gather from their customers through third-party apps and ecosystems built around modern ‘smart’ cars.

Dali Kaafar, executive director of the Macquarie University Cyber Security Hub, said many international car brands already have a history of poor data protection and practices.

“At some point, this data might be leaked. It might be subject to a cyber breach by an organisation that has come through the supply chain of data brokers, for example,” he said.

“The car brands wouldn’t know that the data has been hacked in the first place.”

The New Daily examined the Australian privacy policies of major brands — like Kia, Toyota and Ford — and found they permitted the collection of a wide range of data and, in some cases, allowed it to be sent overseas.

Hyundai in South Korea, India, Indonesia, and the Czech Republic and third-party contractors outside of Australia can access the data of Australian customers, according to Kia’s policy.

Ford Australia failed to respond to questions, but the company’s privacy policy allows it to share customer data with “related companies overseas and to our overseas service providers”.

The data it collects includes names, addresses, email addresses, phone numbers, driver’s licence and registration, date of birth, occupation, gender, and information on vehicles.

When asked how it protects customer data and ensures it remains safe, Kia Australia pointed to its privacy policy and didn’t answer The New Daily‘s questions.

The policy states it can collect personal information including names, date of birth, email addresses, home and postal addresses, contact numbers, demographic information, financial details, payment details, and data collected “as a result of connected service functionality”.

Breaches have occurred

A spokesperson for Toyota Motor Corporation Australia (TMCA) — the company with the largest market share in Australia — said it collects data from customers to support sales, after-sales service, warranty requirements, research and product improvements, but does not “routinely collect data that is defined as sensitive information under the privacy act”.

“TMCA uses a broad range of security measures to protect this data including internal access limitations, data encryption, anonymisation strategies and the use of secure servers located in Australia,” the spokesperson said.

“Where data is held in overseas locations, it is done so in line with Australian law.”

The spokesperson said that reasonable steps are taken to protect customer data from misuse, data is not sold to third parties, and when “identifiable data is shared with third parties, it is done so with the consent of the individual”.

Toyota left Oceania and Asia customer data publicly accessible between October 2016 and May 2023, with names, addresses, phone numbers, email addresses, and vehicle information available on the internet.

Toyota has already revealed one major data breach of customer data. Photo: AAP

Kaafar said the safeguarding of personal information extends beyond the notion of boundaries and borders, and once data leaves Australia and arrives with third parties it is difficult to track.