David Vaile
A public stoush over data collection practices is set to erupt in Australia as privacy advocates agitate for checks on measures advanced by AUSTRAC to enforce anti-money laundering and counter-terrorism financing laws.
Members of the country’s leading privacy advocacy group – the Australian Privacy Foundation (APF) – believe AUSTRAC’s promotion of data collection by financial institutions has entered the realm of overreach and is now potentially disproportionate to the community threats posed by money laundering and terrorism financing.
APF chair David Vaile is concerned that AUSTRAC appears to no longer consider consumer privacy a legitimate constraint on its efforts to combat money laundering activity in Australia.
“In recent years AUSTRAC has built a terrible record of helping to undermine the privacy of Australian consumers,” Vaile says.
“AUSTRAC is a big part of the problem, partly because it no longer engages with privacy advocates and civil liberties experts about data collection rules it promotes across the financial services industry to support its work.
“There’s no internal voice within AUSTRAC itself to assess the privacy impact of policies it wants financial institutions to follow on data management and retention.
“Ultimately, I think there is now a cultural problem that supports imposing increasingly disproportionate obligations on data collectors and intermediaries.”
Vaile says that before 2018 the enforcement agency actively engaged with consumer advocates and other community stakeholders to consult on the privacy effects of proposed enforcement measures.
For more than a decade AUSTRAC operated a privacy consultation committee that included privacy advocates, participants from state Bar associations, and representatives from the federal Office of the Information and Privacy Commissioner.
“Before it was disbanded in 2018 AUSTRAC did understand they needed to balance their work with privacy,” says Vaile.
“Today, they seem to think that the only solution to money laundering activity is for banks and telcos to harvest and retain more consumer information.
“It reflects a maximalist approach to data collection.”
If Vaile’s assessment of AUSTRAC’s maximalist approach is valid, then it is likely to rail against the design of reforms to federal privacy laws being recommended by a review within the Attorney General’s Department.
The long-running review, which was commissioned by the former Morrison Government, proposes in a discussion paper released last year that “data minimisation” be the overriding principle for reforming the Privacy Act.
“Privacy risks can be reduced or avoided when a data minimisation approach is adopted,” the review observed in its discussion paper.
Vaile is hoping the federal government will move to strengthen the data minimisation requirements of the privacy laws, which he says are necessary to prevent and mitigate the fallout from cyber-attacks on large customer databases managed by financial institutions and other service providers.
If such reforms were sufficiently robust to enshrine data minimisation as an obligation on data collectors, Vaile says they could act as a check against practices that are now “out of control in the corporate sector”.
“I accept that AUSTRAC has to be a proponent for companies being able to collect consumer data, but there seems to be no constraint on that activity at the moment,” he says.
“The unnecessary collection and retention of data has become a major problem because companies view information on their customers as an asset that can help them to widen product relationships.
“But privacy breach events like the Latitude incident demonstrate how those assets can quickly turn toxic for companies and their customers.”
Privacy laws founded on a principle of data minimisation would require companies to limit the collection of personal information to only what is “reasonably necessary for an identified purpose”.
Consumer groups have told Banking Day that recent mega fines dished out to several major banks for non-compliance with AML laws had resulted in deposit takers pressuring deposit account applicants to furnish identification in excess of legal requirements.
While such practices might be understandable, the banks are nonetheless digitising copies of the customer information on their operating platforms.
Vaile says that these practices highlight the need for consumers to have a right to sue for damages they incur as a result of data theft.
Australia remains one of the few OECD jurisdictions yet to empower consumers with wide-ranging individual rights to action when their data is stolen.
The review has also recommended that consumers be given a right to mount class actions against service providers that fail to protect their personal information.
Attorney General Mark Dreyfus said in January that the government would consider other proposals recommended by the privacy review, including a right for a customer’s data to be erased after a product or service relationship had ended.
AUSTRAC currently requires financial institutions to retain customer information for seven years after the termination of a service relationship.
Vaile acknowledges there is a competing tension between the need for privacy and the work of law enforcement agencies.
He says AUSTRAC needs to strike a balance between the two competing priorities and that the proposed reforms of the privacy laws could support a “rebalancing” of data collection practices in the financial services industry.
“As things currently stand banks and other service providers are projecting risk onto victims of data theft events with impunity because the rights of consumers to take legal action are limited or non-existent,” he says.
“But if consumers had a right to sue – which they do in most other Western countries – then that would also act as a check against unstructured data management and unbridled collection of sensitive information.”