Need to know
- It remains unclear what rental application platforms such as Ignite, 2Apply, Snug, tApp and others are doing with the renter data they harvest
- The Australian Privacy Principles hold that businesses that collect data for a specific purpose can't use it for another purpose without consent
- In a case recently ruled on by the Office of the Australian Information Commissioner (OAIC), a renter's data was improperly used against him by the rental agency that collected it
Being forced to hand over unreasonable amounts of personal information when applying for a place to live is something that happens to a lot of people in Australia, and it's an issue that CHOICE has reported on extensively.
The potential consumer harms are such that we gave the entire rental application platform industry (or RentTech) a Shonky in 2023.
It remains unclear what rental application platforms such as Ignite, 2Apply, Snug, tApp and others are actually doing with the renter data they harvest, but it is clear that they have to abide by the Australian Privacy Principles (APP) when handling it.
In a recent case that ended up with the Office of the Australian Information Commissioner (OAIC), this didn't happen.
The Australian Privacy Principles are a distillation of the Privacy Act, which OAIC oversees. They stipulate that a business that holds someone's personal information for a particular purpose can't use or disclose it for a different purpose unless they obtain the individual's consent. There's also an exemption if the business has valid grounds to assume the person would reasonably expect it to be used for the other purpose.
In the case that was recently decided by OAIC, the matter of consent proved pivotal.
Agency retaliates by doxxing
A disgruntled renter had left a negative Google review about the real estate agency he was renting through under a name similar to his own.
The review included statements such as: "Highly unprofessional. I would question how many of your 5-star reviews are fake. Your response to an emergency in a rental property is more than three full days. Shame on you."
Previously, he had lodged a complaint with NSW Fair Trading about the agency.
When the agency retaliated by publishing the renter's full name, occupation and financial circumstances in its response to the review – a move known as doxxing – it came as a shock.
The agency retaliated by publishing the renter's full name, occupation and financial circumstances in its response to the review
The agency also fired back with their own comments, saying their reviews were genuine and adding, "I am not sure if we have upset you by chasing your unpaid rent so many times, we will not be apologising for that. You work as an accountant according to your LinkedIn profile, and as an accountant you should know how to pay rent on time."
When the agency refused to take down the renter's personal information or its comments, the renter threatened to lodge a privacy complaint with OAIC. In response, the real estate agency escalated the conflict, threatening to publish more of the renter's personal information, including health information.
A business that holds someone's personal information for a particular purpose can't use or disclose it for a different purpose unless they obtain the individual's consent.
Agency found to be in the wrong
After reviewing the case, OAIC found that the real estate agency had contravened the APP, not only by publishing the renter's personal information without consent but also by lacking a privacy policy that adequately explained how it handled personal information at the time it did so.
The nature of the personal information disclosed, and the reasons for the disclosure, were very relevant to the findings in this matter
OAIC spokesperson
"Whether the disclosure of personal information is lawful will depend on the facts and circumstances in each matter but the nature of the personal information disclosed, and the reasons for the disclosure, were very relevant to the findings in this matter," an OAIC spokesperson tells CHOICE, adding that businesses "should carefully consider why they intend to disclose personal information, and whether that purpose is consistent with the purpose for which they collected the information in the first place".
Regulator concerned about RentTech
The OAIC spokesperson also told us that it's keeping an eye on the RentTech industry, "where there is typically a power imbalance in property rental, favouring landlords and real estate agencies. Tenants may have little choice other than to use RentTech, providing significant personal and sensitive information in the process".
The regulator says it has concerns about the amount of personal data collected from renters and the lack of transparency around sharing it with third party providers for secondary purposes. "If personal information is required, it should be deleted once it is no longer needed," the spokesperson says.
We need comprehensive reform of our privacy laws to protect consumers from malicious and exploitative uses of our data
CHOICE senior campaigns and policy adviser Rafi Alam
OAIC's view is firmly in line with our position on the issue.
"Tenants aren't just paying through the nose in rent anymore – they're paying in valuable data too," says CHOICE senior campaigns and policy adviser Rafi Alam. "Our personal information has become big business for RentTech platforms, and it's left us vulnerable to data misuse and data breaches."
"We need comprehensive reform of our privacy laws to protect consumers from malicious and exploitative uses of our data. While the government has fortunately taken a few small steps in this direction, we're hoping that big ticket items like an obligation on businesses to use our data fairly will be introduced as soon as possible."
Doxxing to be added to privacy law
In the end, the regulatory intervention in this case was more of a reminder of a business's obligation under privacy legislation than a punitive action.
Though the renter had asked for $15,000 from the real estate agency to compensate for what he described as severe emotional distress caused by the doxxing incident, the privacy regulator didn't go that far.
Instead, the punishment was the removal of the renter's personal information from the Google reviews platform, a letter of apology to the renter, and a commitment from the real estate agency to train staff on how to properly handle such information going forward.
Doxxing isn't a concept that's specifically outlined in the current version of the Privacy Act, but the Privacy Bill currently before parliament proposes to make it an offence.
Stock images: Getty, unless otherwise stated.
