Australia's privacy regulator has launched its first major "compliance sweep," targeting dozens of businesses including estate agents, pubs, and car dealerships over how they collect and store customers' personal information.
Power Asymmetry and Overcollection Under Scrutiny
The Office of the Australian Information Commissioner (OAIC) will inspect 60 businesses across six high-risk sectors throughout January. The focus is on situations where a "power asymmetry" exists, meaning customers feel unable to refuse requests for personal data during short, urgent transactions.
Privacy Commissioner Carly Kind stated that such scenarios make individuals vulnerable to the overcollection of their details. Commissioner Elizabeth Tydd warned that holding information longer than necessary creates significant risks, including heightened cybersecurity threats where data can be harvested by malicious actors.
Businesses found to have privacy policies that fail to meet legal standards could face fines of up to $66,000.
Sectors in the Spotlight for Data Handling
The OAIC's sweep will specifically examine businesses in the following sectors:
- Rental and property inspections, where agents often request phone numbers at open houses.
- Chemists and pharmacists collecting data for paperless receipts and medication.
- Licensed venues that scan IDs for entry.
- Pawnshops and secondhand dealers.
- Car rental companies and dealerships that keep copies of driver licences for rentals or test drives.
Companies will be required to demonstrate that their policies clearly detail how and why customer data is stored, the retention period, and whether it is sent overseas.
Industry Responses and Past Breaches
James Voortman, CEO of the Australian Automotive Dealer Association, acknowledged that cybercriminals have targeted dealerships, leading to several data breaches. He asserted that new car dealers have invested heavily in data protection.
The real estate sector has faced particular criticism. Practices have included asking tenants for 12 months of bank statements, personal social media profiles, and even details about tattoos. Franchises of major agencies Harcourts and LJ Hooker experienced data breaches in 2022.
Stacey Holt, a risk adviser and CEO of Real Estate Excellence, explained that agencies often keep data to meet landlord insurance obligations and for marketing. She noted that most businesses she works with delete data when it's no longer needed, but breaches are more common where generic, borrowed privacy policies are used.
The New South Wales government acted in July to limit data gathering, estimating that real estate agencies collected roughly 187,000 pieces of identification weekly.
An OAIC spokesperson confirmed the sweep would target larger businesses but could also check small franchisees of national brands. With the announcement made in mid-December, some businesses may be caught unawares as they return from holiday shutdowns.
