David Shoebridge (NSW, Australian Greens) | Hansard source

I'm going to talk tonight about a recent finding from the Privacy Commissioner that American Express Australia broke a person's privacy under the Privacy Act. The company failed to take reasonable steps to stop its own staff from rummaging through the private data and information of their customers when those staff had no right or reason to access. Amex were ordered to apologise, to fix their systems and to pay compensation, but at the centre of this case is a real person. The privacy watchdog calls them BAM to protect their identity. Behind that label is someone who trusted a company with their private information and then trusted the Privacy Commissioner and was then let down.

The harm came from inside Amex, where a staff member who had a previous relationship with BAM was able to repeatedly access his records, and the company had no data tracking to record the access or any active measures to prevent it. The commissioner was clear about why this matters. When staff go digging into customers' files for the wrong reasons, the consequences for that person can be serious. We're talking about fraud and potential blackmail if the information exposes a person's private details, as well as the risk of domestic and family violence where a person's safety can depend upon their information staying private. Amex has been ordered to compensate BAM for what they lost and what they went through, to apologise to them in writing and to finally put in place the data protections that should have been in place from the outset.

BAM should have never had to fight for that. Let's be clear, this fight took years with serious delay inside the OAIC. Having finally won and been handed a determination in his favour, BAM was then hit with a legal threat and a gag from the Privacy Commissioner. He was told he could not share the full determination with anyone and would be limited to sharing details published by the Privacy Commissioner in a sanitised summary of the case put on the OAIC website. The public summary published by the Privacy Commissioner softens, recasts and omits critical findings in the full determination, and, in every instance, those softening, those recasts and those omissions are in Amex's favour.

I'll now read out a few examples of those discrepancies. Firstly, the public summary removes much critical context regarding the allegations of domestic violence committed by the employee involved, the one who improperly accessed the data. The final determination states that 'the complainant provided information to the respondent alleging he was the victim of assault and coercive control perpetrated against him by the employee', while the public summary merely notes:

… the complainant raised certain allegations against the employee directly.

This fails to address Amex's knowledge of the complainant's vulnerability.

Second, the public summary removes any reference to the fact that the employee involved may still have access to BAM's personal information. By contrast, the final determination reads:

The respondent has not provided evidence as to whether all of the complainant's personal information has … been purged … the employee may still retain the ability to access it.

The public summary also edits out the fact that, following Amex's internal investigation after they received BAM's first complaint, the employee retained access to BAM's account and accessed it again. The final determination reads:

The respondent is aware of the employee accessing the complainant's account after the complainant's complaint … it is concerning that the employee continued to have access to the relevant systems that was not restricted or suspended … the respondent was already on notice regarding the complainant's vulnerability.

That's in the final determination but not allowed to be shared. By contrast, the sanitised public summary merely reads:

… AMEX … took steps to investigate, including reviewing the employee's access logs …

That little summary, the public summary, also fails to include the finding from the final determination that no access logs are kept for 70 per cent of Amex's systems.

Finally, the public summary does little to inform the public of the scale of the number of people affected by Amex's actions. As the final determination outlines, Amex has close to 90 million cards in force worldwide, with 1,500 staff in Australia and more than 70,000 globally, all with this kind of untracked access and each of whom has access to card members' data without restrictions and without anything preventing unauthorised access. There are major deficiencies in logging, meaning Amex is unable to even detect when unauthorised access occurs. Amex's actions and breaches of privacy law have a significant effect on more than one million Australians who are or have been Amex's customers. The public should be made aware of these risks. It should be the commissioner who makes them aware, not a complainant who is then threatened with legal proceedings if he tells the truth.

I'd like to finish with some words from BAM himself, but not before I thank him for trusting my team with supporting him in this matter for years. It should not have been so hard, taken so long or ended in this way. The system should have taken his very reasonable and clear complaint and acted on it promptly and transparently. It is a deep, deep disappointment that this multilevel failure has happened.

These are the words from BAM:

The Privacy Commissioner found in my favour after a drawn-out three-and-a-half-year investigation, finding that AMEX had breached my privacy. I won, but my battle continues. The Commissioner has threatened me with court injunctions if I communicate any part of the determination to anyone, preventing the public from knowing the truth about AMEX's security flaws. The past four years have been traumatic and taxing, and I ask how it is possibly in the public interest to gag and silence complainants, who speak out and protect their privacy against large corporations? How is it in the public interest to protect AMEX instead of the Australian public, including AMEX's millions of customers?

Well, I ask those questions too, BAM.

On 3 August, the world will commemorate Roja Resh, or the Black Day, when, in 2014, ISIS attacked Sinjar in Iraq and started the genocide of the Yazidi people. Thousands of Yazidis were massacred and thousands more women and children kidnapped and sold into slavery in some of the most unspeakable conditions. It was one of the darkest chapters in modern history. Hundreds of thousands have been displaced by the violence—forced from their homes, their land and their history.

The defeat of ISIS did not mean the trauma simply disappeared. To this day, I hear from the Yazidi community about the fear they still feel from what occurred in 2014, and I want to read some words from a Yazidi family that has resettled here in Australia, building their own life, who speak about this fear. They are as follows:

The genocide created fear throughout the wider Yazidi community, including among Yazidis living in northern Syria. As reports of the massacres spread, many Syrian Yazidis feared that ISIS would target them next. Families fled their homes, sought protection from local security forces or relocated to safer areas. The events in Iraq demonstrated how quickly an entire community could be targeted because of its religious beliefs, leaving many Yazidis in Syria feeling vulnerable and uncertain.

More than a decade later, the Yazidi community is still recovering from the effects of the genocide.

…   …   …

Many Yazidis in Syria continue to live with fear and uncertainty today.

Political changes, ongoing conflict, and the emergence of a new Syrian government have led some Yazidis to question whether they will remain safe in the future. Although authorities have stated that religious and ethnic minorities will be protected, many Yazidis remain cautious because of their history of persecution and reports of discrimination and abuses against minority communities in parts of Syria. The trauma of the 2014 genocide continues to influence how many Yazidis view their security and future.

The genocide had a profound impact on Yazidi culture and society. Entire villages were destroyed, families were separated, and many survivors continue to experience long-term psychological trauma. Despite these challenges, the Yazidi community has proven remarkable resilience. International aid organisations, governments, and community groups have supported reconstruction projects, education programs, and efforts to locate missing persons.

Today, the Yazidi people continue to rebuild their communities while preserving their cultural and religious traditions. While significant progress has been made since 2014, many challenges remain. Recovery is ongoing, and many Yazidis continue to seek justice, security, and recognition for the suffering their community endured. Their experience serves as an important reminder of the consequences of genocide and the importance of protecting vulnerable communities around the world.

I'd like to make one thing very clear. Standing here in this parliament, I say loud and clear to every Yazidi who has settled in Australia, whether in Wagga Wagga, Toowoomba or wherever: you are cared for, and your protection and your safety are important to all of us. The deep cultural ties you had and still hold with the land you were forced from are real, but you are home here too, and we welcome you to heal and rebuild among and with us.