Australia's privacy regulator, the Office of the Australian Information Commissioner (OAIC), has launched its first 'compliance sweep' targeting businesses that collect personal data in person. The sweep will examine 60 businesses across six high-risk sectors, including real estate agencies, car dealerships, and pubs, to ensure their privacy policies meet legal standards.
Privacy Commissioner Carly Kind highlighted a 'power asymmetry' in such transactions, where customers feel unable to refuse requests for personal information. Commissioner Elizabeth Tydd warned that this can lead to overcollection and prolonged retention of data, increasing cybersecurity risks. Businesses found non-compliant could face fines of up to A$66,000.
The sweep will focus on sectors where customers provide personal details during short, urgent transactions, such as open houses, car rentals, and ID scans at bars. The OAIC will inspect how these businesses store data, how long they keep it, and whether it is sent overseas. The review targets both large firms and small franchisees of national brands.
Industry representatives acknowledged past data breaches. James Voortman of the Australian Automotive Dealer Association noted that cybercriminals have targeted dealerships, but assured that dealers have invested in data protection. Real estate agencies have faced criticism for collecting excessive information, including bank statements and social media profiles, with some breaches occurring in 2022.
The New South Wales government moved to limit data gathering in July, estimating real estate agencies collect around 187,000 pieces of identification weekly. Risk adviser Stacey Holt said agencies often retain data to meet landlord insurance obligations and for marketing, but most delete it when no longer needed. The sweep was announced in mid-December, potentially catching some businesses off guard after the holiday shutdown.



