Well Amex aren't above the law in this case the Privacy Act. This has some interesting requirements on what they can collect, when and what they must do when they collect.
Some interesting info at
Collection of personal information
Some ways I'd suggest this request might fall foul of the law
"Personal information must be collected
from the individual concerned, unless this is unreasonable or impracticable (additional exceptions apply to agencies)."
"What you must be told when your personal information is collected
When an organisation or agency collects your personal information
they must take reasonable steps to tell you the following information, as close as possible to the time they collected your personal information:
- the organisation or agency’s identity and contact details
- the fact and way in which the organisation or agency collected your personal information
- if collecting your personal information is required or authorised by law
- the reasons the organisation or agency collected your personal information
- the consequences if the organisation or agency doesn’t collect your personal information
- the organisation or agency’s usual disclosures of the kind of personal information being collected
- information about the organisation or agency’s privacy policy
- if the organisation or agency is likely to disclose personal information to overseas recipients, and if practical, the countries where they are located"