Privacy Watchdog and Media Regulator Launch Investigations into Optus

Many Australians feel that large corporations and their executives have gotten away with flouting the law without sufficient consequences for far too long.

And the recent Optus data breach has certainly added to that sentiment – with 10 million current and former customers of the Telco reportedly having their data unlawfully accessed, and potentially tens of thousands placed at risk of cyber crimes including identity theft and even blackmail at the hands of unscrupulous offenders.

Flood of complaints

The frustration has been exacerbated by the Telco’s apparent defensive and dismissive attitude towards the situation, with customers routinely being directed to deal with their plight themselves, and the company offering little by way of hands-on assistance let alone compensation for the stress, anxiety and potential victimisation caused by allegedly deficient systems.

This has led to a flood of complaints to the Telco itself as well as to regulatory bodies including the Australian Competition and Consumer Commission (ACCC), the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC).

Indeed, the ACCC recently advised a Federal Parliamentary committee that it has been receiving up to 600 calls a day from consumers to register complaints and obtain some semblance of assistance to deal with the situation.

At their wits end, many have registered interest in joining potential class actions against the Telco – something being explored by at least two civil law firms.

Investigations launched

On 11 October 2022, both the Commonwealth media regulator (ACMA) and privacy watchdog (OAIC) launched investigations into whether Optus fell short of its legal responsibilities to protect the personal data of its customers.

The ACMA says it is investigating whether the telecommunications service provider breached “obligations relating to the acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigation protections.”

The Authority’s chairperson, Nerida O’Loughlin, stated:

“When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved.

All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.

We look forward to full cooperation from Optus in this investigation.”

The OAIC says its investigation:

“will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business”, adding:

“The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.”

Fines could be in the millions

In the event the investigations, or either of them, find that Optus did indeed breach its duties under the law, and the matter is then referred to the Federal Court of Australia, the Telco could face fines of up to $2.2 million for each contravention.

The findings of each body will be made public in due course, and will, most likely pave the way for regulator and law reform where necessary to better protect consumers who have no choice but to hand over sensitive personal and identifying information to companies in good faith that their data will be protected.

Hope for better protections in the future

There are significant lessons to be learned here for lawmakers and regulators as well as all Australian businesses, not-for-profits and government organisations. Prime Minister Anthony Albanese has already mooted a review of the Privacy Act by the end of this year.

But, unfortunately, while the pieces are still being put together, and until these independent investigations are complete and full details of the breach and any associated wrongdoing has been clearly identified, affected consumers feel like they’re the ones left paying a very hefty price for an incident that was completely out of their control, and they’re still facing a high degree of uncertainty which comes with stress and frustration.