The days of companies treating personal data as a lucrative asset are over, and the federal government must take immediate steps to overhaul Australia’s privacy laws after the Optus hack, experts said.

Privacy advocate James Clark, executive director at Digital Rights Watch, said governments must crack down on an insidious culture of personal data hoarding that has been normalised by corporate Australia.

“We’ve got to act in light of this breach,” he told The New Daily.

“This is a much broader problem than just Optus.”

The comments come as the true extent of a massive hack of personal data at Optus last week become clearer, with the federal government revealing on Thursday that up to 40 per cent of Australians are affected.

Up to 9.8 million people had information on licences, Medicare cards and passports stolen, as well as addresses, phone numbers and emails.

And as angry customers question why the telco was holding so much data, Attorney-General Mark Dreyfus revealed on Thursday that reforms, including tougher penalties for companies like Optus, are on the table.

“We need to bring the privacy laws Australia has up to date to make them fit for purpose in the digital age,” he told Radio National.

But advocates said piecemeal reforms wouldn’t go far enough and a much broader overhaul was needed.

“Government obviously needs to lead the way here,” Mr Clark said.

“They need to set the standard on privacy reform for the safety of peoples’ data.”

Advocates demand urgent reform

Advocates said that the government must start by improving access for compensation available to victims whose data has been stolen.

Despite calls from five major Law Reform Commission reviews, there is currently no right to sue for a breach of privacy in Australia.

This means that all consumers can do is complain to the regulator, the Office of the Australian Information Commissioner (OAIC).

“People have got no legal rights to pursue their own interests in Australia,” Australian Privacy Foundation chair David Vaile said.

“The two major parties continued to ignore the the recommendations of the very extensive reviews.”

Mr Vaile said companies needed to realise that sensitive and personal information was a “toxic asset” and they should minimise the amount of data collected on individuals.

“You’re not rich. It’s not like the GFC, where you think you’ve got all these incredible, fancy new assets,” he said.

“When the music stops, you discover, you’ve got a toxic asset, and the more that you’ve got, the bigger your problem is.

“The day of data minimisation has finally arrived.”

Prime Minister Anthony Albanese said on Thursday that the government was considering whether it was appropriate for companies to retain such vast quantities of Australians’ personal data for more than seven years.

He said new laws requiring companies to delete data after they finish using it to verify identities would be “common sense”.

The true extent of the amount of data Optus was holding on Australians is only becoming clear a week after the company revealed the hack.

On Thursday it emerged that even Virgin Mobile and Gomo customers may have been caught up in the breach, while the government has baulked at revelations 37,000 Medicare numbers were stolen.

Those were details the telco failed to disclose when they went public with the hack last week.

However, under Australia’s privacy laws Optus could have waited up to 30 days to inform customers their personal information had been taken.

He argued that doesn’t align with the goal of the Privacy Act, which is supposed to put the victim in the best position to mitigate their loss and protect their own interest.

“There’s no point telling someone they should have changed their logins or cards or whatever a couple of weeks ago, or a week ago or even five, six days ago,” he said.

“Ideally, the obligation needs to be to act as fast as possible because any harms that may come from it will manifest very quickly.”

The government is expected to unveil reforms requiring companies that hold data to more rapidly inform banks after a hack has occurred.

Businesses have been required to report data breaches to the OAIC since 2017.

And as of July, critical infrastructure assets must also report cyber incidents to the Australian Cyber Security Centre within 72 hours.

Tweet from @ClareONeilMP

Mr Dreyfus said that aside from considering how long companies can hold consumer data, the government will also review whether penalties under the Privacy Act are adequate.

Under current laws, the maximum companies like Optus can be fined for a data breach is $2.2 million.

But after a series of government reviews that have gone nowhere over the past two decades, advocates say security standards for companies aren’t high enough.

“We need to make sure that we have a regulator who’s empowered to proactively make sure that these companies are delivering on that kind of standard of security, and holding them accountable for when they don’t,” Mr Clark said.

“We need an empowered regulator that can work with companies and other people in this space to make sure that anyone collecting and retaining personal data is both given the resources to keep that safe, but also held accountable.”