In today’s digital age, where personal data is a new kind of currency, companies wield significant power, collecting and sharing our personal information between brokers, telemarketers, and often with scammers. These businesses profit from the data they collect, while Australians pay the price—not just in privacy violations but financially as well. In 2023, Australians lost a staggering $2.7 billion to scams. This alarming figure highlights the urgent need for stronger privacy protections to limit how personal data is collected and shared in the country.
To address this growing concern, the Australian government introduced long-overdue privacy reforms earlier this month. However, while this move is welcome, the reforms fall short in addressing the many privacy issues affecting Australians today, particularly when it comes to data brokers and telemarketers. For millions of Australians, their personal information is routinely bought, sold, and exploited, often without their knowledge or consent.
One mechanism intended to protect Australians from unwanted contact is the Do Not Call Register, managed by the Australian Communications and Media Authority (ACMA). It holds more than 12 million phone numbers, including mine. This registry is supposed to block unsolicited calls from telemarketers. Yet, despite my number being on the list, I started receiving an average of three unwanted calls a day last year.
Discovering the Hidden Data Market
Curious about the origins of these calls, I began investigating the sources. What I uncovered was a vast network of connections between data brokers, telemarketers, and large organizations, including a major political party. It soon became clear that being on the Do Not Call Register alone was not enough to safeguard my privacy.
My investigation started with the telemarketers themselves. I asked them for details about the data they had on me, such as my name and phone number, and how they had acquired this information. I also requested specifics about the companies they represented, including their Australian Business Numbers (ABNs) and websites. Most of the callers hung up as soon as I started asking these questions, an indication of the murky waters in which many of these businesses operate.
However, one conversation stood out. A man named Paul, who worked in the real estate sector, finally shed some light on the issue. Unlike other telemarketers who only had access to pseudonyms I had used to protect my identity online, Paul knew my real name. This piqued my curiosity, and I asked where he had acquired my information. His response? He had licensed my data from CoreLogic Australia, a major player in the real estate industry.
Real Estate Industry and the Data Economy
Australia’s real estate market is massive, with an estimated value of more than $10 trillion as of 2024. In such a high-value market, personal data is especially valuable. Businesses within the real estate sector, from developers to agents, can use this information to identify and target potential clients, making it a lucrative industry for data brokers.
Paul’s revelation that CoreLogic had my personal information led me to dig deeper into how my data was collected and shared. After multiple attempts, I eventually obtained the personal data CoreLogic held on me. Surprisingly, it was both minimal and highly accurate. This was particularly concerning given the significant steps I’d taken to conceal my real identity online.
My immediate question was: how did CoreLogic get my data? It was clear that they had access to details that only certain institutions—such as banks, utility companies, or the government—would typically hold. This suggested a disturbing possibility: institutions we rely on for essential services, housing, or finance, and from which we cannot easily hide our identities, may be selling our personal information to data brokers. These brokers then pass the information on to telemarketers, who are often based overseas and not bound by Australian privacy laws.
Data Broker Network: From CoreLogic to Smrtr
After several follow-ups with CoreLogic, I learned that they had purchased my data from an Australian data broker firm named Smrtr in August 2023. This date matched up with the surge in unsolicited calls I had been receiving. My investigation into Smrtr revealed that they had purchased my data back in 2016 from yet another data broker, a company called EightDragons Digital.
The deeper I dug, the clearer it became that my personal data had been passed between multiple entities without my consent. Smrtr admitted to selling my data to various companies over the years, further perpetuating the cycle of privacy invasion. The fact that none of these companies had ever sought my explicit consent to trade or use my personal information was deeply concerning.
EightDragons Digital: A Web of Corporate Clients
Determined to find the original source of my data, I contacted EightDragons Digital. The company bills itself as a “leading global consumer data agency” and boasts an impressive list of corporate clients, including well-known brands such as Energy Australia, Vodafone, NRMA, Nissan, Johnnie Walker, American Express, and The Good Guys. Alarmingly, the Australian Labor Party also appeared on its client list, suggesting that political organizations are just as entangled in the data economy as private corporations.
According to EightDragons, they had collected my data during a 2014 marketing campaign, and they admitted it had likely been passed along to at least 50 other companies. Yet, when I asked for proof that I had provided consent to share my data, they could not produce any records. This troubling discovery suggested that many companies, including major brands and political parties, are acquiring and using personal data without verifying if consent was given in the first place.
Lack of Accountability Among Data Brokers
CoreLogic defended its data-sharing practices as legal, citing the challenges of verifying consent or anonymizing personal information as excuses. However, advances in technology now make it possible to track the origins of data, check consent, and share valuable insights without exposing personal details like names or phone numbers.
Despite these capabilities, data brokers seem to favor outdated practices, keeping sensitive information unmasked and freely shared. This approach leaves consumers vulnerable to exploitation, including unwanted calls, targeted advertising, and even scams. Once personal data is out in the open, it becomes almost impossible to control where it goes, especially when it is shared with overseas telemarketers who operate outside the bounds of Australian privacy laws.
Current State of Australia’s Privacy Reforms
In response to growing public concern over data privacy, the Australian government introduced new privacy reforms earlier this month. While these reforms are a step in the right direction, they do not go far enough in addressing the systemic issues in the data brokerage industry. For example, under the current laws, companies are still not required to obtain explicit consent before trading personal information. This lack of regulation leaves consumers exposed to the very practices that caused me to receive dozens of unwanted calls last year.
Moreover, the reforms do not address the international dimension of the data economy. Many of the telemarketers who called me operated from overseas, beyond the reach of Australian laws. Even if the new reforms strengthen domestic privacy protections, they will have little impact on data shared with companies based in countries that have weak or non-existent privacy regulations.
Need for Stronger Data Privacy Protections
The government’s recent privacy reforms are certainly welcome, but they represent only a small step forward. Until there are stricter regulations in place that require data brokers and corporations to obtain explicit consent before collecting, sharing, or selling personal information, Australians will continue to be at risk of privacy violations.
There are several key measures that should be included in future privacy reforms:
- Explicit Consent: Companies should be required to obtain explicit consent from individuals before collecting or sharing their data. This would help prevent the kind of unchecked data trading that has become so widespread.
- Data Anonymization: Businesses should adopt modern technology that allows them to share insights without exposing personal details. This would help protect consumers from having their information used in ways they did not intend.
- Oversight of Data Brokers: The government should establish stricter oversight and regulation of data brokers to ensure that they are complying with privacy laws. This could include regular audits and penalties for companies that fail to protect personal information.
- International Cooperation: Given the global nature of the data economy, Australia should work with international partners to ensure that data shared across borders is adequately protected.
The privacy issues exposed by my investigation are not isolated incidents; they are part of a broader trend of personal data being commodified and traded without consent. As long as businesses and data brokers continue to profit from this unchecked flow of information, consumers will remain vulnerable to scams, unsolicited calls, and privacy violations.
The Australian government’s new privacy reforms are a start, but they fall short of the comprehensive changes needed to protect people from exploitation in the data economy. Until stricter measures are implemented, Australians will continue to pay the price for the data industry’s lack of accountability. The stakes are high: our privacy, our financial security, and our trust in the institutions that are supposed to protect us are all on the line.