Optus argued against changing privacy laws to give Australians more rights over their data before hackers stole the personal information of up to 9.8 million of its customers.
The Singaporean-owned telco giant more than once opposed proposed changes to the Privacy Act that would have given customers the right to request their data be destroyed.
The Morrison government launched a review of the Privacy Act in 2020, proposing multiple reforms, including increasing users’ rights to take legal action against companies over data breaches.
In two submissions to the review, Optus argued the existing act was working well.
The company said Australian telcos didn’t need a “right to erasure”, a spin on Europe’s “right to be forgotten, which gives people the right to ask organisations to delete their personal data.
“There are significant technical hurdles to implement this for most sectors of the economy and much more research needs to be conducted,” the company said one submission.
“Optus submits that the compliance cost of an express right to erasure in the Privacy Act is likely to far exceed the benefits that flow from the right. There is insufficient evidence of a problem which would justify the costs.”
Optus said it didn’t “see any justification for changes to the existing Privacy Act”.
“We find that the processes are working reasonably well and have resulted in good outcomes for consumers and businesses,” the telco said in a submission.
“Optus is not of the opinion that there should be additional protections in relation to deidentified, anonymised and pseudonymised information.”
Optus took issue with what it called “over the top” providers — such as Facebook, Google and Apple — being exempt from adhering to separate telecommunications laws, arguing they had been given “favourable treatment” by the federal government.
Optus argued Australian-based telcos were already subject to “greater obligations” under these laws than they were under the Privacy Act.
The telco disclosed on Thursday afternoon it had been subjected to a massive cyberattack that had been detected on its systems on Wednesday.
Optus chief executive officer Kelly Bayer Rosmarin said soon as the telco learned of the hack it took action to stop it and launched an investigation.
Speaking to reporters on Friday, Ms Rosmarin apologised to customers.
She said she was “devastated” by the attack, which compromised information including names, dates of birth, addresses, phone numbers and in some cases passport or driver’s licence numbers.
Ms Rosmarin said Optus believed the number of people who had data stolen was substantially lower than its “worst case scenario” of 9.8 million.
The amount of data stolen and the reason for the attack is not yet known, with the Australian Cyber Security Centre and the Australian Federal Police investigating.
Optus has been contacted for comment as to whether it still opposes changes to Australia’s privacy laws.
The Attorney-General’s Department is expected to present the Albanese government with a final report from the review of the Privacy Act before the end of the year.
It is expected to result in new legislation.