By Taufiq Arahman


The Optus Data Breach: the product of an antiquated regulation regime

It was only a matter of time before a cyberattack of this scale occurred in Australia. On 22 September 2022, Optus announced that a cyberattack had compromised the data of its customers including home addresses, driver’s licences and passport numbers (“the Optus Data Breach”).[1]  I, along with many millions of Australians, am one of the victims of the data breach.

Customers are now faced with the scary reality of their identifying information at risk of being used for scams, identity fraud or other cyber harm. Whilst Optus has contacted over 10 million people advising of their compromised data, Optus has left the onus on their customers to be responsible for managing the harm, such as identity theft and scams, that may arise from their management of customer data.[2]

The fact that Optus is not obliged to make further efforts on individual privacy issues, reflects how unprepared and indifferent Australia is to the fast-moving digital reality. The more businesses enter the electronic world, the more abundant there are cyber threats and threats from ransomware that place the data of Australian citizens at constant risk of being compromised at any given moment. Following the aftermath of the Optus Data breach, it is perhaps high time for Australia to reform its antiquated data protection regime to be consistent with current technological standards.

Penalties under the current Privacy Act 1988 (Cth)

The Privacy Act 1988 (Cth) (“the Privacy Act”) sets out Australia’s current data protection regime which aims to promote the protection of individuals’ privacy by regulating and providing a framework for organisations to manage personal data. Whilst the Optus Data Breach has harmed the lives of millions, it seems that Optus did not contravene the Privacy Act by failing to adequately protect the private data of its customers.

Schedule 1 of the Privacy Act sets out the Australian Privacy Principle (“APP”) 11 which requires Optus to take “reasonable steps” to protect personal information it holds from unauthorised access or disclosure. The attack itself does not mean Optus’ mechanisms of protection did not comply with the requirements under the APP 11. Optus must be demonstrated to have been negligent in leaving itself open to an attack to be in breach of the APP 11.

Nevertheless, even if Optus is found in breach, the maximum penalty available under the Privacy Act is $2.22 million (well less than Optus FY21 profit of $35 million) and only applies in cases of serious or repeated breaches of privacy.[3] This is certainly less than the penalties imposed under the European Union’s General Data Protection Regulation which fines corporations €10.0 million or up to 2% total worldwide annual revenue of the preceding financial year, whichever is higher.[4]

The right to privacy in Australia

In respect of compensation, the Privacy Act does not provide a right for individuals to pursue a claim against third parties for breaches of privacy. Instead, a person must make a complaint to the Office of the Australian Information Commissioner (“OAIC”) which will investigate if a privacy breach has occurred. If the Commissioner makes that finding, a person may be entitled to a ‘restrained’ award of damages in respect of the loss suffered as a result of the breach.

In ‘LU’ and Department of Defence (Privacy),[5] the OAIC awarded $10,000.00 for the distress suffered because of an unauthorized access and use of personal information.

The restrained quantum is perhaps owing to the Australian regime lacking a statutory tortious right of action for serious invasions of privacy. In Lu and Department of Defence (Privacy), the Commissioner noted the ‘ultimate guide’ in measuring compensation is ‘the words of the statute’. Earlier this year, the Law Council of Australia made submissions for Parliament to consider the development of a statutory tort of serious invasion of privacy.[6]

The existing common law only protects privacy to the extent there is established legal principle, such as fiduciary obligations and breaches of contract. Without a statutory tort, the Commissioner is limited to only awarding damages that is consistent with prior determinations and the Privacy Act, which currently does not cover the costs of legal representation.

Moving forward

According to a report conducted by the Australian Cyber Security Centre, over 67,500 cybercrime reports were reported by companies in the 2020-21 financial year.[7] Despite this statistic, the outdated privacy law has rarely gained the attention it certainly deserved. If there is a silver lining to the Optus Data Breach, it is perhaps that this is what Australia needed to encourage the government into a constructive discussion on reforming its data protection regime to increase penalties and the rights of individuals.

With personal information increasingly being stored online, Australia’s data protection regime must introduce stricter regulations to ensure companies we entrust our personal data with are doing the absolute most to safeguard Australians from another cyberattack and a big enough stick to ensure their compliance.


[1] Insider Retail, ‘Scam warning as Optus reaches out to 10 million customers after data hack’, (24 September 2022) available at

[2] Crikey, ‘1 in 3 Australians could be caught in Optus cyberattack and they have no recourse’, (23 September 2022) available at

[3] The Privacy Act 1988 (Cth) s 13G.

[4] See The General Data Protection Regulation, Article 27.

[5] [2017] AICmr 61.

[6] Law Council of Australia, ‘Privacy Act Review: Discussion Paper’, (27 January 2022) available at

[7] Australian Cyber Security Centre, ‘ACSC Annual Cyber Threat Report, July 2020 to June 2021,’ (15 September 2021) available at