Enter your email to read this article
Read news on any topic, in one place, from publishers like The Economist, FT, Bloomberg and more.

Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data

Smartphone with logo of Optus on screen in front of the Optus website on a computer screen
Optus revealed on Thursday it had suffered a cyber-attack in which the personal data of potentially millions of customers was stolen. Photograph: Timon Schneider/Alamy

Optus has repeatedly opposed a proposed change to privacy laws that would give customers the right to request their data be destroyed, with the telco arguing there were “significant hurdles” to implementing such a system and it would come at “significant cost”.

On Thursday, the company revealed it had suffered a massive cyber-attack in which the personal information of customers was stolen, including names, dates of birth, phone numbers, email addresses, addresses, and passport and driver’s licence numbers.

Optus began contacting customers whose personal information was compromised in the breach via email and SMS on Friday. It said customers as far back as 2017 may be affected because it is required to keep identity verification records for six years.

The incident has raised questions about how long telcos should be required to keep the data, what obligations they have to protect it and what compensation customers should be entitled to in the case of failures.

Personal information is protected by the federal Privacy Act. In a review of the act launched by the Morrison government in 2020, the attorney general’s department canvassed views on whether people should be given the right to have their personal information erased, as well as increased rights to take direct legal action against companies over breaches.

Optus argued against both changes.

The company said in its submission that implementing a right to erase personal data would involve “significant technical hurdles”, and “significant” compliance costs. The costs would far outweigh the benefits, the company said.

Optus first argued in its 2020 submission that giving consumers the power to take direct legal action over privacy breaches could lead to frivolous or vexatious claims, and would not give people greater control over their personal information.

Any substantial changes to the act would “place a further drag on innovation and limit the benefits of digitisation,” the company said.

In an October 2021 discussion paper, the attorney general’s department formally proposed a direct right to action that would allow customers to seek compensatory damages as well as aggravated and exemplary damages.

In its response in January this year, Optus reiterated its opposition to the proposals, arguing the existing processes for consumer complaints were more “flexible”.

Guardian Australia has asked Optus if it stands by the submissions.

The attorney general, Mark Dreyfus, has indicated his department is in the “final stages” of its review of the Privacy Act.