The Australian rental landscape is facing a seismic shift following a landmark ruling by the Privacy Commissioner against IRE Pty Ltd, the operator of the widely used 2Apply platform.
In the decision [2026] AICmr 24, the Commissioner found that the platform engaged in “unlawful” and “excessive” data collection, a move that legal experts warn leaves thousands of real estate agencies exposed to significant liability.
Luke Shumack, Partner at O*NO Legal, has issued a stark warning to the industry, characterising the ruling as a definitive turning point for how agencies must handle sensitive tenant information.
The ruling: “Unlawful and Unfair”
The Privacy Commissioner, Carly Kind, found that 2Apply collected a vast array of personal data that was not “reasonably necessary” for its functions.
This included sensitive details such as bankruptcy status, visa expiry dates, the names and ages of dependants, and even whether an applicant was a smoker or a student.
Beyond what was collected, the Commissioner slammed how it was collected, citing a “significant power imbalance” in a hyper-competitive rental market.
“The competitiveness of the current rental market means that individuals are at a disadvantage when trying to rent a home and are more vulnerable,” the Commissioner stated.
The ruling specifically targeted the platform’s “Online Choice Architecture” – digital design tactics that pressured renters into providing data for fear that their application would otherwise be ignored.
The danger of the “Third-Party” assumption
For years, many real estate agencies have operated under the assumption that using a third-party platform shielded them from privacy risks. Mr Shumack argues that this belief is not only wrong but dangerous.
“Many agencies assume: ‘We use a third party platform, so privacy compliance sits with them.’ That assumption can be dangerous,” Mr Shumack warned.
He notes that because agencies direct applicants to these platforms, store the resulting data in their CRMs, and download documents from these systems, they remain firmly on the hook.
“While the platform may be collecting the information… your agency may still be exposed,” he said.
A sector under scrutiny
The ruling comes at a time of increased regulatory pressure. The Office of the Australian Information Commissioner (OAIC) has already identified the real estate sector as a primary focus for compliance activity.
Mr Shumack emphasises that a generic privacy policy is no longer a sufficient defence.
“Having a privacy policy alone is not enough. Agencies need operational compliance across open homes, rental applications, inspections, and CRM systems,” he said.
The Commissioner’s findings regarding the “excessive” nature of the data collected – ranging from vehicle registration numbers to highly specific identification documents like Medicare card colour – means agencies must now justify every piece of data they hold.
“The biggest issue? Power imbalance.”
A core component of the ruling was the finding that applicants felt they had “little genuine choice” in the process. Mr Shumack highlighted this as a critical takeaway for agency principals.
“Applicants may have felt that if they didn’t provide extensive personal information, they wouldn’t secure the property. That creates serious privacy risk,” he said.
Mr Shumack also pointed out that the Commissioner specifically criticised practices that pressured renters: “The circumstances in which the respondent collects personal information is characterised by significant power imbalances, limited choice and security risks relating to the real estate sector.”
The Commissioner has ordered IRE Pty Ltd to cease collecting the prohibited data points within 60 days and to appoint an independent reviewer to audit its practices. However, for real estate agencies, the work starts now.
He now urges agencies to audit their application forms immediately and remove unnecessary collection points.
“Just because a platform asks for the information doesn’t mean you should be collecting it,” he cautioned.
“And if regulators start asking questions, blaming the software provider likely won’t be enough.”
Mr Shumack said the ruling serves as a final warning to the “RentTech” industry and the agencies that rely on it; as the rental crisis continues to make headlines, the tolerance for “unreasonably intrusive” data practices has vanished.
“The agencies that act now will be in a far better position than those waiting for complaints, investigations or media scrutiny.”
Quick Guide: Data points ruled “Not Reasonably Necessary”
According to the determination, agencies and platforms should no longer be collecting:
- Personal Attributes: Gender, student status, bankruptcy, or retirement status.
- Dependant Info: Names and ages of children.
- Property History: Previous living history (2 years) or ownership of other properties.
- Financial/Gov Status: Bond or rental assistance status, citizenship, and visa expiry.
- Excessive Detail: Medicare card colour, passport numbers (unless verified via secure third-party), and vehicle registration.