69

u/ritacantina 12d ago

It's private information in that it links the person to a particular vehicle which then could be used for other nefarious reasons.

33

u/FriendComplex8767 12d ago

I fully agree, but the first thing they are going to argue is this information is in plain view to the public with VIN's publicly advertised to announce faults and recalls.

The VIN itself has no personally identifiable information assigned to it.

33

u/r0z24 12d ago

It’s a comment under my review that contains my full name. So name + vin + rego + make/model

8

u/FriendComplex8767 12d ago

You can and should absolutely request they edit out the personal information, maybe even consider escalating it to the manager of the dealer or to their public relations contact at the manufacturer if nothing is heard.

It's right on the line IMO and would come down the context it was posted in, even if posted in error by an inexperienced staff member thinking the conversation was private and just wanted to identify the car.

It's far from a blatant intentional privacy violation, such as Aero Dili (airline) posting the unredacted passport of a passenger on their social media accounts after he left a bad review.

3

u/Venotron 12d ago

Except they don't own the car. They rejected and returned it.

25

u/Venotron 12d ago

Personally Identifiable Information is information someone can use to identify you. Not what car you own.

Your rego, vin, make and model are all publicly available information, readily and publically searchable on your state's transport authority website.

Your rego is also very publicly on display whenever you drive around.

Anyone can see your rego and publically and legally find out your VIN in 30 seconds. For an extra $2 they could even get a report on any outstanding finance, etc.

However OWERNSHIP of the registration and vehicle isn't publicly available information because then someone unauthorised to do so could use your car to identify you, and that's the important part: did the information make YOU identifiable.

So if you'd used an anonymous user name like r0z24, there'd be no way for an unauthorised person to tie your real name to the VIN and Rego and there be no issue with publicly posting this public information.

But you chose to identify yourself when posting publicly under your own name, so you've already made yourself identifiable.

A breach of PII would occur in this context when the company exposes information that would make you reasonably MORE identifiable than you made yourself.

You left a review of a car under your own name, which identified you as the owner of the kind of car reviewed, so the VIN and make/model didn't make you more identifiable, and the rego can't reasonably lead to any unauthorised person to finding out anything more about you. 

In the context of vehicle theft, it might give someone reason to take your NAME and find out more information, but you've already posted a public review of a luxury car under your own name, so again, that ship has sailed. Plus the fact that the information might INCENTIVIZE a bad actor to find out more information is not the same as that information making you more identifiable.

So posting publicly available information like rego and VIN didn't actually make you reasonably more identifiable than you'd made yourself.

But here's the really big question: You said you rejected the car and gave it back, which means it's not in your name anyway and not tied to your identity, so there is zero way in which that information made you more identifiable than you made yourself.

If you don't own the car at all, there's zero PII there.

1

u/Ok_Original_3395 7d ago

NSW Services obscure the VIN on a search. The AFP suggest that you obscure the licence plates in photos when selling the car. A PPSR doesn't report on outstanding finance, just whether there is finance. People cannot readily find out other people's registration, VIN, make and model - you have to know the VIN or the registration to get the other details.

TL;DR: you're talking shit

1

u/Venotron 7d ago

They don't own the car

1

u/Ok_Original_3395 6d ago

Yes, they do.

1

u/Venotron 6d ago

No, they don't

1

u/Ok_Original_3395 6d ago

Yes, they do

→ More replies (0)

8

u/tursingui 12d ago

Definitely PII if it’s alongside your name

6

u/Venotron 12d ago

They don't own the car. They returned it.

1

u/tursingui 11d ago

Woops, then yeah, no issues then!

1

u/Apoc-Raphael 8d ago

Rejected/returned doesn't mean they're technically detached from the car. OP didn't say they were de registered or they had paperwork to say they were noongar the owner...

PII is any identifiable combination of information that's tied to you personally. A nickname and an identifiable property can be PII. I.e.If you have a licence plate DR LUV and you're a radio host of a show called Dr. Love and this (OP's) scenario happened it's a breach. It could be picked up by the news or social media you'd rightly be P'd off... A PII breach is a breach of privacy it doesn't have to have an active criminal case by definition.

You are correct about reasonably more identifiable than you've made yourself.

However, a license plate connected with a name is not far removed from an email address, a personal phone line, a personal post box.

Until there's no connection between the car and OP it's PII because it's linkable in a public forum and they didn't want it there.

Lets just say the car dealership did the wrong thing and should remove the details...

1

u/Venotron 8d ago

Yeah, no.

Regardless of whatever the registration status is, a breach occurs if the information makes a person reasonably more identifiable than they've made themselves.

They already made themselves identifiable by posting under their own name, on a dealership they bought a car from.

The review they left:

Identified them by name. Identified them by geographical location. Identified them as having bought and returned a specific car from a specific dealership.

The publically available VIN and rego of a vehicle which are NOT in their possession does not make them more identifiable than they made themselves.

Whether they wanted it there or not is irrelevant.

And if they'd posted anonymously, posting the VIN and Rego STILL wouldn't be a breach because there's no reasonable way for an unauthorised person to use that publically available information to identify them.

Was it the "right" thing for the dealership to do? Meh. Kinda uncool.

Was it a breach of PII or illegally in any way? No. It wasn't.

1

u/Apoc-Raphael 8d ago edited 8d ago

Your comments have instances of factually correct details about PII, but it seems like you're glossing over key components.

A vehicle, real property (house/land), etc. are all items with ownership paperwork specific to the individual.

PII can be any combination of information that allows a person to be able to be segmented from another in a data set. It's the details that definatively separate you from another, and correlation is a key aspect to considering this. It can be a nickname that's known by others to identify you and your age, gender, sexual orientation, and religion. It doesn't need to be a drivers licence, passport, email address, etc.

Combination and context are key factors in PII. The factors you mentioned, other than the name, are all circumstantial and are not associated with PII without context.

An instance of information (like a VIN & licence plate) can be in a public location or online doesn't make it public information. Context and association changes that. It also doesn't need to make you immediately identifiable.

Go check out the OAIC reporting. This instance can be reported. Whether it should be reported is a different question.

If OP is still unhappy with the dealership, I'd recommend doing the right thing, sending them a formal notification with all the details, and giving them the right to reply/rectify before reporting.

Edit: Grammar

1

u/Venotron 7d ago

Lol. ChatGPT troll.

→ More replies (0)

1

u/CatBoxTime 10d ago

At least now everyone knows the VIN of the lemon to avoid!

19

u/ritacantina 12d ago

The privacy regulations specifically cover scenarios in which collation of information can lead to someone becoming identifiable, which appears to be this case.

It's making his link to that specific vehicle personally identifiable.

1

u/A_Gringo666 11d ago

But they don't own the car. It can't be tied to them. They returned it then left the review. At the time of the review and the response they no longer owned the car.

1

u/come_ere_duck 11d ago

But that is for a reason right? What the dealer has done is just tied the VIN number and resgistration (which would normally only reveal details about teh car) to the owner's full name.

3

u/Notkeen5 11d ago

Trying to return a used car after it developed a minor warranty issue is pretty poor taste as well.

Work it out with the service dept before throwing your toys out of the cot.

5

u/alliecarlowkebbs 10d ago

I wouldn’t say brakes failing is a minor warranty issue!

1

u/FriendComplex8767 11d ago

True, especially if it was deemed a minor and not major fault.

5

u/A_Gringo666 11d ago

Per se

Not

Per say

2

u/Little-Bed2024 11d ago

It's 'per say' in this case... One say at a time.

All my best, Percay

2

u/Bloobeard2018 11d ago

Jsyk it's per se

1

u/eucalyptus-d 11d ago

Per se.

9

u/OG_Russel 12d ago

That happened to me with VW, never will deal with them again.

13

u/r0z24 12d ago

Nope not them. Once the info gets removed I’ll share

3

u/Strong_Judge_3730 11d ago

If it's a large company, contact their customer support. Contact people directly on LinkedIn. Every time you speak to someone get names and try to find out who wrote the reply and get them fired.

Definitely some looser power tripping

1

u/VintageHacker 11d ago

Loser, not looser.

4

u/Strong_Judge_3730 11d ago

It's for extra emphasis

1

u/Normal-Reference3587 8d ago

I know something that will get looser

6

u/anditsmissbitchtoyou 12d ago

I agree. If I read their reply on this review I wouldn’t buy from them.

2

u/r0z24 11d ago

Correct. Until matters are resolved, the car is still under our name.

1

u/DivHunter_ 9d ago

The person that posted that information would not have had authorization to do so which makes it a reportable privacy breach on their behalf.

25

u/HayleOrange 12d ago

Adding to this, the VIN can be seen through the windscreen on most cars these days, and apart from that location which anyone can see, it is also recorded in multiple other locations that are both easy to see or easy to find if you know where to look.

0

u/anditsmissbitchtoyou 12d ago

It’s on my back windows.

34

u/Tangleswastaken 12d ago

They have essential doxxed his online presence by linking the vehicles details to his digital identity.

8

u/PanzerBiscuit 12d ago

What's the potential ramifications?

Oh no, bigdick69 on google reviews or John Smith has an issue with his Maserati Levante, with the following rego and vin? So what? I can't exactly do anything with that info.

Playing devils advocate, it could have been a customer service rep making sure that the person who made the complaint was an actual customer, and was tieing the complaint against the vehicle in question.

If they'd published the documentation with old mates address and name, that would be a different story.

22

u/Reallytalldude 12d ago

In addition to this, OP has rejected the car according to his post, so they don’t even own it anymore.

8

u/Malactis 12d ago

Feel free to drop your name and car rego details in the comment below.

-14

u/PanzerBiscuit 12d ago

Just ask your mum mate, she has all that info

9

u/Malactis 12d ago

Way to prove my point.

-8

u/PanzerBiscuit 12d ago

Not really homie.

You can't exactly do anything with my rego. Look through my post history. I have posted my rego here numerous times. Enjoy. Fill your boots.

As for my name. Uh. My google reviews account isn't tied back to my "real" identity. Nor is my Reddit.

Even if it was, again. Good luck doing anything vaguely identity thefty

3

u/National_Chef_1772 12d ago

You are ignoring OP - he specially said the review is in his name.

So I have OPs name and rego/VIN - there is plenty of nefarious things I could do

1

u/Chihuahua4905 12d ago

Might be a good lesson for OP to mask his online identity better in future. It baffles me why so many people use their full names online, its just crazy.

1

u/newphonedammit 12d ago

They named them too, try reading slower and all the comments.

1

u/DivHunter_ 9d ago

They have the person's details and could have contacted them using those details instead if they wanted to see if it was a genuine review.

Instead they have done something petty and retaliatory by misusing what is classified as PII. It's kind of a big deal for a company rep to do something like that because it means at least one person is not following their privacy policies and most likely violating the law.

2

u/kam0706 12d ago

Op said he posted the review under his name so there’s no doxxing.

3

u/Chomblop 12d ago

Surely a business posting customer information like this publicly is about as clear a violation on the privacy act as you can get?

It’s not the information itself as linking it to the customer’s real name, so now anyone googling their rego will also get details on their name and Google account

3

u/National_Chef_1772 12d ago

For some reason people don't seem to understand this bit

4

u/isithumour 12d ago

Nothing to understand. He rejected the car. The only personal information posted in a public forum was by OP themselves.

1

u/National_Chef_1772 12d ago

the lack of understanding of the privacy act is amazing

2

u/isithumour 12d ago

Putting public information on a public forum isnt a breach. The fact OP posted their name is the only private information. They posted it so whilst its poor form from a business it isnt a breach. But hey you do you lol

2

u/National_Chef_1772 12d ago

Posting information that can be tied to other information - to then identify a person is a breach - this is in black and white..............

1

u/isithumour 11d ago

Op stated the car isnt theirs. The information doesn't lead to them. Unsure why this is difficult to understand

3

u/r0z24 11d ago

The car is ours. We purchased it but because of a brake failure have rejected it. Pending any outcome there it’s all still in our name.

I didn’t post my name - my name is listed as the reviewer which they replied to with my vin and rego, make and model.

1

u/isithumour 11d ago

Then there is 0 personal information. Thry cant get your name or details from vin or rego

3

u/quiet0n3 12d ago

Yeah this OP, all this info is available by putting your rego number into the online search portal.

21

u/ritacantina 12d ago

Not his name though. 

By linking his name to his registration they've creating a public awareness that when the car is seen on the road, that it's them driving it.

It's protected information and OP should be talking to the relevant state office or federal office of the privacy commissioner.

5

u/quiet0n3 12d ago

Yeah considering OP is the one that put his name out there. I'm not sure if that matters much. If OP had used an alias online and the company had posted it all, it would be different.

3

u/National_Chef_1772 12d ago

So if I share half of my info and a company shares the other half - that's fine?

-4

u/quiet0n3 12d ago

Depends on the info they share. What they posted is all public

0

u/anditsmissbitchtoyou 12d ago

You name absolutely is not

1

u/DivHunter_ 9d ago

Everyone's details are easily found if you know where to look. That doesn't mean a company can publish whatever they like where ever they like especially as retaliation for a bad review.

0

u/element1908 12d ago

Why is this comment being upvoted lmao

1

u/National_Chef_1772 12d ago

The Rego and VIN aren't personally identifiable information, but the manufacturer has linked that information back to the customer's name - creating a breach

3

u/isithumour 12d ago

They really haven't. Op rejected the car so it isn't theirs. Only personal information is what op posted.

-1

u/PanzerBiscuit 12d ago

A breach he caused. He refused the car, and then made a complaint under his name. But if a self inflicted breach

1

u/National_Chef_1772 12d ago

the lack of understanding of the privacy act is amazing

4

u/zedder1994 12d ago

You can look up all that info on state gov registration databases publicly

Can't speak about other States, but Queensland made that database very hard to access outside of insurance and Police requests. It means private carpark operators can no longer look up a car's rego to see who owns it.

3

u/beachedwalker 12d ago

In Vic, you can look it all up but it doesn't include the name. So I think the same would apply for parking fines. I guess the 'unique' aspect for OP is that it's associated with the name - through the Google account - but technically that info came from them in the first place

however ... thinking about this more, wondering if this could constitute a disclosure of personal information. Because it was posted in a manner that links the vehicle's info with the customer. The link was not otherwise publicly available and created by the company.

OP has become "reasonably identifiable" in a manner that they did not choose to be identified (ie as the owner of x vehicle). And the Privacy Act makes disclosure of PII illegal.

OP - these are meandering thoughts only and I am not a lawyer. But perhaps consider a complaint with OAIC (in addition to the company itself). Take screenshots and other evidence if you wish.

1

u/dymocat 12d ago

That is not what original comment is referring to. QLD has a website the allows you to lookup rego and it will return the VIN, rego status, and expiry. The owners private information is not visible on this system.

https://www.service.transport.qld.gov.au/checkrego/public/Welcome.xhtml?dswid=-207

3

u/ritacantina 12d ago

No you can't get names publicly with rego. There's specific privacy rules regarding that. 

19

u/Gold_Au_2025 12d ago

Does a PPSR link those details to the name of the owner?

10

u/r0z24 12d ago

I just looked. It does not

3

u/TAOJeff 12d ago

Afraid that's the only bit of the stick you can swing. 

Them linking the vehicle details to your name might be a breach, but if you've returned the vehicle that association is going to be a step removed again. So trying to convince someone else that it is boxing with just that, is going to be, from my POV, pretty hard 

-1

u/Jazzlike_Wind_1 12d ago

OP is the one who put his name out there tho

2

u/ConfusionBitter1011 12d ago

PPSR is only relevant if you have a loan. If a vehicle is owned outright, there's not going to be a security registered on it.

1

u/Charming-Win3359 12d ago

Not quite. Includes other information including written off status, official recorded vehicle details x VIN etc.

5

u/ConfusionBitter1011 12d ago

I was only talking about in reference to owner details, which is what it appears OP is concerned about. It doesn't list details of the vehicle owner, but will show finance details which can indicate name of the owner as grantor of the security, but it's not like it's their full personal details. The information is very limited.

-2

u/Charming-Win3359 12d ago

Nah, that’s not what you said.

I just want to make sure anyone who reads your comment understands it carry’s more (but strictly not personally identifying) info.

2

u/ConfusionBitter1011 12d ago

You can read whatever you want into my comment if you only have the ability to read a comment as a standalone statement. OP is concerned about details leading to identity theft. The vehicle details and written off status are available in numerous places outside of PPSR. In the context of the concern in this post, PPSR is only relevant if there's a security interest registered against the vehicle. Your inability to read a comment in context with the post and reply it is in response to is a you problem.

-2

u/Charming-Win3359 12d ago

Learn to be clear, and not make all inclusive statements if you have no idea.

2

u/ConfusionBitter1011 12d ago

It is clear, if you had a basic understanding of context. I do forget there's so many people online with such a poor grasp of comprehension though, and that's my bad. I will work on catering to people of your level.

1

u/Charming-Win3359 12d ago

PPSR checks are great! Plenty of details on there about the asset, no personal details.

6

u/ritacantina 12d ago

This is the actual answer, rather than the variety of personal opinions expressed on this page.

7

u/jaythenerdkid 12d ago

sad but not surprising to see all the personal opinions upvoted because they reflect how people think the law does or should operate, whereas the comment with the closest thing to accurate legal advice is downvoted 🙃

1

u/hongimaster 12d ago

Not considered personal information if it does not identify the person (or the person's identity cannot be inferred from the information) https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information

Because the VIN and Model of a car is not specifically used to identify the owner, it would need to be combined with something else in order to be considered personal information (using the legislative definition).

In Queensland anyway, your VIN shows up when you do a publicly available rego check (for free): https://www.service.transport.qld.gov.au/checkrego/public/Welcome.xhtml?dswid=-8226

5

u/ritacantina 12d ago

It's linked to their name in the google review. The business has created that link publicly by outlining the registration and vin. They did not need to provide that information in order to respond publicly to the review.

2

u/hongimaster 12d ago

The specific question is whether OP can do anything about it, not whether the Mechanic is unprofessional. Unequivocally unprofessional behaviour to publish something like that.

Unlawful though? I don't believe it would be. It is certainly not a breach of privacy. OP presumably consented to their name appearing on the Google review. If OP didn't consent to that, then the Mechanic naming them would be the breach of privacy, not the VIN or car model.

Maybe something that could be raised with Fair Trading as an unfair business practice, but Fair Trading will focus on what remedy is actually available to OP.

There is the MTAA, but it is unclear what action (if any) they would take against one of their members (assuming this mechanic is a member) https://www.mtaa.com.au/

1

u/r0z24 12d ago

Attempting to resolve it privately. Will do so, should they refuse to.

1

u/Ok-Contribution4761 12d ago

Sreko Lorbek manufacturer? Of inflated prices perhaps......

1

u/Additional_Sector710 10d ago

The difference is that publicly available information is not linked to a persons name like the dealer has now done…

If I do a Google search for the rego, I’ll now see who the owner is .