Australia's national privacy regulator has launched its first-ever "compliance sweep," targeting dozens of businesses including estate agents, pubs, and car dealerships over how they collect and store customers' personal information.
Power Imbalance and Overcollection Under Scrutiny
The Office of the Australian Information Commissioner (OAIC) will inspect 60 businesses across six high-risk sectors throughout January. The focus is on situations where a "power asymmetry" exists, as described by Commissioner Elizabeth Tydd. This occurs when companies make in-person requests for personal details during short, urgent transactions, leaving customers feeling unable to refuse.
Privacy Commissioner Carly Kind warned that such scenarios make individuals vulnerable to the overcollection of their data, creating significant security and privacy risks. A key concern is businesses holding onto personal information for far longer than necessary, which Tydd said creates additional cybersecurity vulnerabilities where data can be harvested.
Businesses found to have privacy policies that fail to meet legal standards could face fines of up to $66,000.
Sectors and Businesses in the Crosshairs
The OAIC's sweep will concentrate on sectors where sensitive data is often exchanged quickly. The targeted industries include:
- Rental and Property Inspections: Estate agents who request phone numbers at open houses or demand extensive personal data from tenants.
- Licensed Venues: Pubs and bars that scan IDs for entry.
- Car Rental Companies and Dealerships: Businesses that collect personal data and copies of driver licences for rentals or test drives.
- Chemists and Pharmacists: Particularly regarding collection of information for paperless receipts and medication provision.
- Pawnshops and Secondhand Dealers.
An OAIC spokesperson indicated that while larger businesses with more customers would be targeted, the review could also check on small franchisees of big national brands, such as in the real estate sector.
Industry Responses and Past Breaches
The crackdown follows notable data breaches and criticism of certain practices. Franchises of major real estate agencies Harcourts and LJ Hooker suffered data breaches in 2022. The industry has previously resisted tighter data protection rules, despite practices like some agents asking tenants for 12 months of bank statements, social media profiles, and even details about tattoos.
Stacey Holt, a risk adviser and CEO of Real Estate Excellence, explained that agencies often keep tenant data to meet landlords' insurance obligations and for marketing purposes. She noted that most businesses she works with delete data when it's no longer needed, but breaches are more common among agencies using generic, borrowed privacy policies.
In the automotive sector, James Voortman, CEO of the Australian Automotive Dealer Association, acknowledged that cybercriminals have targeted dealerships, leading to several breaches. He asserted that new car dealerships have invested heavily in protecting customer data.
The New South Wales government acted in July to limit data gathering after estimating that real estate agencies alone collected roughly 187,000 pieces of identification information every week.
Commissioner Tydd suggested on Friday that businesses have likely already strengthened their privacy policies in anticipation of the sweep, which was announced in the busy mid-December period. Some targeted businesses may be caught unawares as they resume trading after the holiday shutdown.
