Medibank Hack led to loss of personal information for about 9.7 million Australians
When Medibank, the Australian’s largest insurer was attacked by hackers in 2022 losing personal data of about 7.9 million customers, there was a debate and conversation about data security and privacy. This and other cases such as Optus Data Breach in the same sparked a conversation on how prepared were the companies that collect and keep personal information to keep the data safe and use it responsibly. The conversation expanded to involve issues like data privacy measures that have been taken to protect Australians personal information. This was followed by review of Privacy Act and recommendation on the changes that needed to be made. The legal framework in Australia continue to evolve to increase data protection. The responsibility of data privacy falls on different agencies including companies, government and platform users. However, the users hold the greatest power and influence in shaping practices, laws and policies regarding how data is used.
Many users of digital platform feel they have no control on data collected and how it’s used, and they are bothered.
In the digital era, where technology has permeated every area of life, data privacy remain one to the top concerns for stakeholders especially the customers or platform users. In attempt to address the problem, one of the major concerns has been identifying the party that should be held responsible. A deeper analysis of who has the best interests and in the best position to influence the practices and policies would best help decide on which party should become more vigilant in addressing issues related to data privacy. In a survey conducted by Public Sector Network in 2024, only 32% of citizens felt in control the data that is collected from them. Although many Australians share similar sentiments, the reality is that the users can take advantage of the power they have to influence the practices. Achieving this requires the users to understand the power dynamics and the influence at the disposal and use it to their advantage.
Companies that operate social media platforms or use applications in service delivery are interested in business goals. Long term business sustainability and profitability are the key priorities. The customers or user are the major components that influence the success of the business. Every business is eager to anticipate and meet the needs and preferences of the customers. This means that the customer have great power to decide the standards of services they want and are ready to pay for. With respect to data privacy customers can become proactive and asked companies to inform them about the data they collect from them, how they intend to use the data and the rights the companies reserve to the users. Currently, most users believe that the companies are required by the law to protect user data and that should be enough for the entities to abide by. The reality is that enforcement is a major policy gap that has made it challenging to improve data privacy within the nations. Entities will make minimum efforts to show that they prioritize customer privacy while in reality they don’t. By being proactive and specific data the company collects, how they use the data and what they do with the data after using it would alert the companies that the users are very careful and conscious of data collection and use practices. Since companies are vested in meeting consumer needs, they would begin to consider data privacy as a key feature in their operations. If patients and customers has asked about the data the insurer was collecting, why it was necessary and how they intended to use it, the entity would have recognized that the patients are concerned about how their data is handled. The company would have taken more vigilant and robust approach to protecting data. It was baffling how such a huge company holding such sensitive data would lack multiple authentication for their corporate network system. Legally, they were doing minimum to adhere to the law. If the customers ask questions and demand accountability from the entities then they influence the product development aspects of these business hence increase responsible data handling practices.
Relying of entities to create and enforce data privacy rules and policies will never yield meaningful impact. User need to understand the psychology and existence of business. In the information era, every company is interested in collecting as much data as possible both in volume and variety. They want to connect as much details as they can because there are several opportunities. The common reason easily thrown at the user’s face is the need to improve the services and products they get. However, there are selfish interest that drive how companies handle user data which would make it hard for the businesses to create privacy laws that prioritize the user. Users need to understand how platforms are governed. First, companies reserve a lot of power in how they run their platform and how they handle data. Although “Terms of Service” document is used to denote care for the users, the document is drafted in a way to protect the entity from legal liabilities (Suzor, 2019). They often include the clause that the entity reserves the right to terminate services for the user. While this may be assumed as consent from the users, the entities often are guided by their selfish interest. They will avoid clauses in the document that will limit their interest or increase their legal liability. They would therefore not commit to high level of data privacy measures other that the minimum.
Google accused of collecting data from apps that were not related to Google
Facebook sought to involve users in developing use terms with the customers. At first the company stated that they would require 30% votes from all user to adopt a policy (Suzor, 2019). Given that the company has billion users, achieving the threshold was hard and this would limit the business ability to make decisions. As a result, the initiative was withdrawn. The initiative was not withdrawn because it was unattainable but because it would weaken the company’s ability to pursue its interests. In Australia, the Australian Competition & Consumer Commission (ACCA) found that Google has been tracking young people on non-Google platforms. These platform s such as DoubleClick have been built using Google technology and the company linked data from the platform on user activities to the Google accounts the same users had (Kemp, 2020). This link was used to create insight for advert targeting. These companies are very strategic at using legal loopholes to avoid accountability and purse their profitability and growth interests. It would therefore be unfair for users or the public to think that these companies would fight for their privacy or adopt proactive measure on the same.
Similarly, the legal landscape if filled with loopholes that makes the system ineffective in adequately protecting citizens’ personal information. One of the major enforcement gaps is that the law had set too small penalty for companies that violate the data privacy laws in Australia. Before 2022, the penalty was $2.1 million (Taylor, 2024). The amount was however increased in 2022 to $50 million. Although this is an encouraging move, the number of companies that have been actually penalized or fully held accountable is very low if any. Such information is scarce to the public. One of the major hurdles is the slow complain resolution process. Complains take years to resolve and often involve a very complex investigative process as companies try to push back. When users launch a complaint, the entities will not immediately admit their mistake but will rather deny. The process of proving violation is both complex and expensive for the government and the citizens. Low rate of enforcement and few meaningful outcomes for the everyday user discourage members of the public from raising concerns.
The exemption in the Privacy Act allow a lot of data to be collected by small business, political parties an private companies on their employees without protection (Commonwealth of Australia, 2022). Data breaches in small companies would expose the users to the same hurt just like it would if data was leaked by large companies. The rational for exemption is to support small business by reducing the burden of investing in high technologies to address data privacy problems. On the hindsight, the company is allowing certain companies to collect data from the public without adequate measure to protect it (Taylor, 2024). Given the businesses purse their profit interests, it is important for the lawmakers to review this section of the law to ensure that all entities that collect and handle public data are accountable and responsible. Another legal weakness is lack of clear or explicit right for an individual to file a suit on invasion of privacy (Commonwealth of Australia, 2022). The law provides that the individual can file a complaint with the relevant authorities such as Office of Australian Information Commission (OAIC) and the agency would investigate the case (Kemp, 2020). The law does not explicitly provide the step and procedures that would be taken if a person want to sue a company that violate their privacy rights. In additions most of the freedom rights apply to public entities and less on the private sector. Companies in public sector are expected to uphold higher standards of data privacy and security than private companies from a public administration and governance point of view. For private companies it is about achieving minimum security standards and adjusting to customer needs and preferences. For public entities, the pressure is from the laws but for private entities, the pressure is from the need to impress the customers. Another weakness noted during the Privacy Act review was that it did keep up with the emerging trends such as AI that introduce unique challenges to privacy rights.
Understanding these dynamics that shape the role and burden on various stakeholders is critical for the public to devise strategies that would yield meaningful outcome in protecting their privacy in the online platforms. The private entities would be the least to prioritize the need to protect data and would only do it if it is part of what the customers want. On the other hand, the primary guardian of public safety is plagued with many design and implementation weakness that make enforcement of laws hard. However, the yet untapped power and influence lie with the public. The customers as part of public can demand a trend to actively demand accountability and call out companies that they suspect do not handling data in a responsible manner. The subtle campaign can include public sharing their experiences, condemning unaccountability and pushing to actions by these companies. Companies often take advantage of the fact that users are less informed on privacy rules, rights and how violations happen. The public can mobilize each other and increase public education on data privacy and online safety. Speaking out, calling out companies and demonstrating greater knowledge on digital privacy will push companies to prioritize and take extra measures to meet these needs.
Digital privacy cannot be effected without laws and policies and the public can push for legal reforms. The tradition has been that legal reforms are sparked by external events. For example, the Medibank Hack and Optus Data Breach created the need for review of the Privacy Act. The public can become the source of these reforms by showing that it one their major concerns. The members of legislative arm are elected by the public and would therefore work to address issues that are of interest to the people that elected them. The members of public can initiate policies and provide adequate information that can justify the need for legal reform. The public should leverage the desire of the representatives to protect their political interest by addressing the urgent problems. When the public remain quiet and proactive about an issue, it is assumed not to be a priority.
In reality, digital privacy responsibility burden lies with companies and the government but weaknesses in the legal framework and selfish interests in entities have made digital privacy a major challenge in Australia. However, if the public realize the power and influence they hold in both entities and the law makers, they would leverage it to have stronger and effective framework that serves their privacy needs and interests. Public education and online activism are tools that the public can engage in to address challenges related to digital privacy whether on social media or other platforms.
References
Commonwealth of Australia. (2022). Privacy Act Review. Canberra : Australian Government.
Kemp, K. (2020, July 29). The ACCC is suing Google for misleading millions. But calling it out is easier than fixing it . USNW Sydney.
Suzor, N. P. (2019). Lawless: the secret rules that govern our digital lives . Cambridge : Cambridge University Press.
Taylor, J. (2024, June 17). Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges .
Be the first to comment