Real estate agents are pushing back against proposed privacy law changes, saying small businesses should not face more red tape to keep customer and tenant data safe.
The Real Estate Institute of Australia president, Hayden Groves, said an “additional layer of responsibility is really not necessary” on top of agents’ existing duties and increased regulatory risks could be “the last straw” for smaller agencies.
Groves acknowledged in the wake of data breaches at Optus and Medibank that there was legitimate debate about the personal information collected by agents. Franchises of real estate agents Harcourts and LJ Hooker were hit by data breaches in 2022.
But Groves suggested a code of practice could help guide agents to collect only necessary information, without bringing them within scope of the federal Privacy Act.
In February the Attorney General’s Department released a review calling for Australians to gain greater control of their personal information. Users would have the ability to opt out of targeted ads, erase their data and sue for serious breaches of privacy.
Despite a consensus on the need to update privacy laws, aspects of the proposal are under attack from social media and tech companies concerned about limits on “targeting” of users, and media organisations who want an exemption from the proposed right to sue.
Now the REIA has called on the government to retain the small business exemption to the Privacy Act, because otherwise an estimated two-thirds of agencies with a turnover of less than $3m will be captured. REIA’s submission also proposes that a new penalty regime should be delayed until 2025.
Groves said “unilaterally” removing the exemption “might not bring tangible benefits to consumers, while adding unnecessary additional risks on small businesses”.
“We’re not against protecting consumers, of course,” he said. “They’re our customers.”
He said the REIA had reminded members to only collect “sufficient” data that they need to assess prospective tenants’ ability to meet obligations under a lease, check that “they are who they say they are” and nothing further.
Groves noted agents are already subject to state and territory legislation that they exercise “due skill and diligence” in all aspects of their business.
“We are already, as an industry, heavily regulated, and appropriately so … this would be another component of risk that might prove detrimental to free enterprise.”
But the consumer group Choice has submitted that the reforms do not go far enough, suggesting that the requirement that data collection be “fair and reasonable in the circumstances” could be strengthened with a duty to act in customers’ best interests.
Choice’s consumer data advocate, Kate Bower, said it was “critical” that small businesses be covered by the act because of the “huge” scope of information collected.
“The risk of data breaches in terms of identity theft and scams is quite serious and real. For consumers it makes absolutely no difference if the business [subject of a breach] had a turnover of $3m or more.”
Bower said it was “disingenuous” for businesses to lobby against the changes.
“They are the ones that benefit from this data collection, they really need to be responsible with it and they shouldn’t have any objections to regulations that would assist that.”
“They haven’t put enough work and effort into appropriate data collection and security and that indicates the regulation is needed because, left to their own devices, they’re not doing enough.”
The attorney general, Mark Dreyfus, has promised to consult on the reforms.