Australia’s privacy commissioner has placed an extraordinary gag order over her determination into a complaint about American Express, after a sustained campaign by the credit card company to keep the details secret.
The Office of the Australian Information Commissioner (OAIC) last month upheld a customer’s complaint that an Amex employee he briefly dated used his position to spy on the customer’s card accounts and activity, raising serious questions about the company’s internal security controls.
The substantiation of the complaint vindicates the customer’s four-year battle for acknowledgment that American Express breached his privacy and entitled him to more than $23,500 in economic losses alone, which commission staff flagged last year would constitute the highest payout in Australian privacy breach history.
But the potential implications for the data security of the millions of American Express customers worldwide remain unknown, after Privacy Commissioner Carly Kind decided not to publish her full determination beyond a summary that will be posted on the commission website.
She told complainant John Smith (not his real name) in a cover letter to her decision that by “opening, reading and retaining” the determination he acknowledged and accepted it was provided on a confidential basis.
“Any unauthorised disclosure or use of the determination, or any part of its contents, may constitute a breach of that obligation of confidence. In the event of any actual or threatened unauthorised disclosure … I reserve the right to bring proceedings seeking urgent injunctive relief to restrain further disclosure or use, and take further action as may be available at law or in equity.”
The threat of legal action capped a dramatic about-face from the commissioner, who three weeks earlier signalled her intention to publish her reasons, subject to any redactions suggested by the parties.
“This public version will be available to both parties and will not be subject to any obligations of confidence,” she wrote to Smith on May 19.
Smith said he never sought financial compensation, and his chief concern had been holding American Express accountable for failing to protect Australian account holders. It was not clear what, if any, steps Amex had taken to tighten systemic security failings that caused his personal information to be compromised.
“I wanted an apology and a public acknowledgment so that American Express customers would be protected. I’ve got neither of those things,” he said.
“I never anticipated in my wildest dreams that, as the prevailing party, the vindicated victim, I would be legally gagged by the privacy commissioner precisely because I had won,” he said.
Commissioner Kind’s preliminary report last year included the view that American Express was not adequately protecting its customers from “insider” security threats, and potentially exposing them to financial fraud, identity theft, physical harm and intimidation.
More than three-quarters of its systems did not track employee access to customers’ accounts, and the company should have made systemic changes after it was notified of Smith’s complaint.
“The risk that employees may inappropriately seek to gain unauthorised access to the personal information on the employer’s systems for the purposes of alleged abuse, including coercive control and other forms of family violence, is an unfortunate reality,” she wrote.
“It is therefore essential that entities that hold personal information … ensure sufficient controls are in place to protect personal information from the risk of unauthorised access.”
American Express told this masthead at that time the company did not share the commission’s preliminary views, which it believed were based on incomplete information and inaccurate assumptions.
“The investigation arises from a single incident involving one employee and one customer more than three years ago and does not relate to any breach of American Express systems or applications,” it said.
The parties were invited to respond to the preliminary report before a final determination was handed down.
Kind informed the parties of the outcome on May 20 but offered American Express the opportunity to make redactions to her reasons before providing the determination to Smith. He would be allowed to suggest his own redactions before she settled on a version that could be published, she said.
“No inference should be drawn about the reasons for my determination until you are provided with those reasons,” she wrote. “For the avoidance of any doubt, nothing is to be inferred from the commissioner’s preliminary view.”
When Smith was yet to be provided with the full determination a week later, Kind conceded the timeline had been extended due to “substantial submissions” she received from American Express pressing for redactions.
By the time she was ready to release her reasons to Smith on June 2, two weeks after informing him his complaint had been upheld, her position shifted. She had now decided to provide both parties with an unredacted copy of her reasons, while binding them to confidentiality.
The determination included information that could create risks to American Express’s cybersecurity, she said.
“Further disclosure of the confidential version of the determination would undermine the integrity of the OAIC’s complaint-handling process, discourage the frank and open participation of interested persons and third parties, and prejudice the administration of the Act.”
The course chosen by the commissioner cannot be appealed. Smith cannot claim that his rights as a complainant were denied, and the Administrative Review Tribunal does not have the power to adjudicate on non-publication.
Greens senator David Shoebridge said he was concerned about the precedent being set by the complainant being gagged.
“The Australian privacy commissioner has found that this American multinational breached privacy laws and then threatened the successful complainant with a court injunction if he tells the whole truth about it,” Shoebridge said. “That is so obviously wrong.”
American Express was also exposed to data breaches in 2019, when an employee wrongfully accessed customers’ account information in an apparent attempt to engage in fraud, and in 2023, when its Asia-Pacific employee data was accessed by an ex-employee based in India.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
Julie Lewis is the Features Editor of The Sydney Morning Herald.Connect via email.
