OAIC submission on the Productivity Commission's interim report – Harnessing data and digital technology

Summary of key points

Introduction

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide comment on the Productivity Commission’s (PC) interim report Harnessing data and digital technology.

The OAIC is responsible for promoting and upholding Australians’ information access rights under the Freedom of Information Act 1982 (FOI Act) and their privacy rights under the Privacy Act 1988 (Privacy Act). We also have regulatory responsibilities under 37 other Commonwealth statutes including the My Health Record Act and Digital Health, Consumer Data Right, Digital ID, Social Media Minimum Age, Telecommunications and Credit Reporting schemes. The effective administration of these regimes is essential to support public trust in Government, business activity and the safety of Australians. By utilising a risk-based, educational, and enforcement-focused approach, the OAIC builds trust in our democracy and economy by protecting privacy and information rights.

Privacy is a fundamental human right that underpins freedom of association, thought and expression, as well as freedom from discrimination. Privacy regulation includes, but extends beyond, economic conduct regulation. This fundamental right has been further strengthened by the recent introduction of the statutory tort of privacy in Australia.

Good privacy practice is good for business – it creates consumer trust and influences purchasing decisions. Most Australians place a high level of importance on their privacy when choosing a product or service, with 70% saying it is ‘extremely’ or ‘very important’ and another 26% stating it is ‘quite important’.¹ However, when data breaches occur, they are costly for the business, impacted individuals and the broader economy. IBM calculates that in 2024 the average cost to business of a data breach was $4.26 million.² The OAIC received 1,113 notifications under the Notifiable Data Breaches scheme in 2024, a record number and a 25% increase from 2023.³ In its study, IDCARE estimates a total of $41 million in individual losses from data breach events in 2024.⁴ Data breaches facilitate further losses through subsequent use of personal information by scammers. Reported losses to scams in 2023 were $2.74 billion.⁵

The OAIC recognises the Productivity Commission’s objective of improving national productivity for the benefit of all Australians, and the role that innovative data-based practices and digital technology can play in achieving this goal. As the regulator of information rights, the OAIC takes a holistic approach to information access, encouraging proactive release of government held data to support private sector innovation, and community engagement in improving government services. However, the OAIC is concerned that the PC’s proposed reforms to the Privacy Act may introduce greater uncertainty for regulated entities to the detriment of confidence and productivity, without improving privacy-related outcomes for individuals.

Privacy responsibilities are well established and embedded in Australian business practices. A key feature of the OAIC’s regulation of privacy is strong engagement with regulated communities⁶ and increasing guidance in accessible forms to ensure new developments are effectively communicated.⁷

The OAIC believes that effective regulatory frameworks are a crucial part of realising these productivity gains. Robust privacy regulation can provide the secure and trusted scaffolding within which entities can confidently adopt and innovate. The OAIC also supports regulatory frameworks that allow the community to confidently engage with data-based practices and digital technology such as new data access pathways and AI by assuring privacy protections and enabling transparent government-decision making through robust information access laws.

Community trust and safeguards

Deploying data and digital technology to successfully drive Australia’s productivity agenda requires community trust in the safety and security of new technologies. Many entities recognise the role of effective regulation in public trust – in a recent survey, 66% of the OAIC’s stakeholders believed that our regulatory activities demonstrated a commitment to continuous improvement and building trust.⁸

The OAIC regularly conducts public surveys to understand community sentiment and our work in this space consistently demonstrates that the Australian community places a high value on protecting, and having control over, their personal information. In our 2023 Australian Community Attitudes to Privacy Survey (ACAPS), Australians told us:⁹

• 84% of Australians want more control over their personal information;
• 62% have a major concern over the protection of their personal information; and
• 82% want to do something to protect their personal information, but 57% don’t know how.

The OAIC recognises the Productivity Commission’s objective of reducing regulatory burden to support Australia’s productivity agenda. However, while privacy frameworks have an important role as a form of market regulation, privacy remains, at its core, a human right. As a human right, individuals should be able to exercise control over the access to and handling and retention of their personal information. The OAIC believes regulatory burden reduction must continue to deliver a rights-based approach to privacy protection – without the protection of individual privacy rights, community trust in markets and technology will likely be eroded, adversely affecting productivity and economic prosperity.

The Privacy Act is technology-neutral and principles-based which allows it, overall, to develop with changes in technology and business practices. The OAIC recognises that artificial intelligence (AI) and related technologies have the potential to benefit the Australian economy and society, by improving efficiency and productivity across a wide range of sectors and enhancing the quality of government services for the Australian people. We also acknowledge that the data-driven nature of AI technologies, which rely on large data sets that often include personal information, can also create new specific privacy risks and/or amplify existing risks.

In the absence of AI-specific legislation in Australia, it is incumbent on regulators to demonstrate how existing regulatory frameworks apply to the adoption of AI to ensure that community values and expectations are met and protected. To that end, in 2024 we published regulatory guidance to assist regulated entities with appropriate development and deployment of privacy-preserving AI products.  At a practical level, the OAIC recently published our findings on I-MED’s collection of de-identified patient information for its training of medical AI technology to improve medical diagnosis. Our preliminary inquiries found that patient data had been de-identified sufficiently and was no longer personal information for the purposes of the Privacy Act. This matter shows how good privacy practices may still allow an entity to effectively carry out its business activities, and adopt of new and innovative data-driven technologies, whilst respecting privacy and maintaining client trust.

Outcomes-based regulation

The OAIC is concerned that the PC’s proposals for an alternative (or dual-track) compliance pathway for privacy regulation may undermine the regulatory framework that protects individuals and their personal information and inject uncertainty in markets thereby adversely impacting productivity.

The Australian Privacy Principles (APPs) are well established and provide flexible and principles-based obligations. They are focused on transparency and building trust and individual choice, consistent with privacy being a fundamental right. While the OAIC strongly believes that entities should be responsible for respecting and protecting the right of individuals, we advocate for a balanced approach rather than a paternalistic approach in which the entity makes qualitative assumptions and assessments of an individual’s best interests or the ‘right’ outcome for them.

From a pragmatic perspective, without the transparent disclosure practices required under the APPs (e.g. privacy policies), individuals engaging with an entity may be unable to identify whether that entity was opting into an outcomes-based pathway or were simply non-compliant with privacy obligations altogether.

The OAIC also notes that an outcomes-based pathway may be unevenly adopted by entities depending on their capabilities. Entities with greater resources may be able to better explain and defend their practices than less-resourced entities and new market entrants, creating uneven privacy protections for individuals across the economy. The existing transparent and where applicable consent-based processes of the Privacy Act create certainty for both entities and for markets. The process-based provisions of the Privacy Act are also intended to prevent privacy-based harms by mandating economy-wide best practices – however, allowing entities to single-handedly determine their own processes for meeting individual outcomes introduces significant uncertainty as to acceptable practices and available protections.

Best interest obligation

The OAIC also questions whether the best interest obligation model will deliver better outcomes for businesses. The model may introduce greater regulatory uncertainty and thus burden on entities, and significant challenges for regulatory enforcement. Terms such as “best interest” introduce ambiguity into privacy regulation that will likely rely on judicial interpretation over many years to create clarity of expectation. Without detailed regulatory guidance, this will likely be a lengthy and costly process for participants; with detailed guidance, the foundations of a best interest obligation may be substantially similar to existing APP guidelines, leading to regulatory duplication. We note that best interest obligations in financial services were only tested in court after three years.¹⁰ Additionally, best interest obligations in financial service regulations rely on extensive safeguards and obligations on providers that will be difficult to recreate in data-based exchanges.¹¹ Best interest usually relies upon an individualised assessment of a person’s financial and personal situation, including  whether they are experiencing vulnerable circumstances.

Entities operating in high volume transactional environments may not have the capability, expertise, or oversight to understand or act in the best interest of individual users or classes of users. This is particularly the case when entities are collecting and handling large amounts of personal information relating to millions of individuals. Common mass data practices limit the ability for entities to consider key characteristics of individual best interest such as specific vulnerabilities and would make it difficult to recognise and prevent conflicts of interest.

Fair and reasonable test

The OAIC strongly supports the Attorney-General Department’s (AGD) proposal for a fair and reasonable test as an alternative to a best interest obligation.¹² A fair and reasonable test in the Privacy Act would require the collection, use or disclosure of personal information under APP 3 and 6 to be fair and reasonable. Implementing this test would be consistent with the technology-neutral and principles-based approach of the Privacy Act and APPs, reflect current community expectations around the handling of their personal information, and provide individuals with greater trust in the entities that collect and use their data whilst retaining individual rights at the centre of the regulatory regime.

By way of example for how the fair and reasonable test could meaningfully operate: currently, entities can collect any personal information that they deem to be ‘reasonably necessary for their functions and activities’. In practice, this means entities are vastly over-collecting data, and making the collection of excessive amounts of personal information contingent on accessing a product or service, even when that information is not essential for the use of the service. For example, many entities collect dates of birth, gender, geo-location information, IP and device identifiers, copies of identity documents and other data which is neither strictly necessary, nor of legitimate use to the entity. Consumers are not able to make granular choices about what data they hand over, and entities are exposing them to security risks by collecting and hoarding more data than they need. Some entities are also collecting individuals’ personal information indirectly and without their knowledge, for example by purchasing customer lead lists from data brokers.

The introduction of a fair and reasonable test would curtail these unfair practices. Significantly, a fair and reasonable test would also be consistent with the existing language of the Privacy Act and other economy-wide frameworks such as the Australian Consumer Law that already employs concepts of reasonableness and fairness. This will allow the OAIC to enforce the test more effectively, be less burdensome on regulated entities that already have familiarity with the concepts, and has well established precedence in judicial interpretation. A fair and reasonable test will incentivise less intrusive practices, encourage consideration of the impact of their activities on the interests of individuals, and facilitate better privacy outcomes.

The OAIC’s regulatory approach is underpinned by the pillars of purpose and proportionality. That approach is recognised by regulated entities and the community. It also aligns with extant judicial interpretation. Advancing this approach through a legislated fair and reasonable test will inject further clarity and certainty for regulated entities and the Australian community. A departure from this approach would create greater uncertainty and adversely impact productivity.

Right to erasure

Under the current law, entities are required to erase personal information under certain limited conditions. APP 11.2 requires destruction or de-identification if an entity no longer requires the information for purposes allowed under the APPs. However, APP 11.2 empowers entities to determine when the information is no longer required, rather than the individuals that are the subject of the personal information.

As entities are incentivised to hold on to collected information for longer than the purposes it was provided due to the value it provides for unrelated or future purposes (e.g. marketing, data analysis), this can lead to the storage and handling of data beyond the expectations of data subjects. In practice, entities tend to hold onto personal information far longer than they require it, in some cases decades beyond an ongoing relationship with a customer or client. ACAPS findings show that only 30% of people trust organisations to delete their information when it is no longer needed.¹³

The OAIC recognises a right to erasure is enshrined in privacy regulations in many jurisdictions around the world, including Korea, Singapore, the UK and the European Union, and has strong support in the Australian community. The OAIC regards it as essential to consider how a right to erasure could be given effect in the Australian context, taking into account the need for a pragmatic approach, including by articulating exceptions to this right in certain circumstances and a “reasonableness threshold” to assist in reducing overly burdensome regulatory compliance.¹⁴

The OAIC sees particular value in a right to erasure for children and young people, and the concept has emerged as a significant concern in our consultations to develop a Children’s Online Privacy Code. In stakeholder engagement conducted with Reset.Tech and the CREATE Foundation, only 6% of children and young people actively wanted their data to be kept once they turned 18.¹⁵ Our ACAPS research also found that 90% of the Australian community believed that children, or their parent or guardian, should be allowed to request erasure of their personal data.¹⁶ Children fear that personal information from their youth, including errors made in their youth, can limit their work-related and personal potential as adults. This can be severely consequential from a rights-based perspective, as well as having a negative effect on their employment prospects in adulthood, with related impacts on their physical and mental health.

Balancing new technologies with rights

The OAIC recognises that new technologies can play a significant role in boosting Australia’s productivity potential and benefitting the Australian public. As discussed by the PC, greater adoption of AI-based systems and secure data access pathways can contribute to the economic and social well-being of the country. The OAIC takes a holistic approach to information rights, facilitating proactive release of information which can support advanced data analytics usage by the private sector to support new product development and identification of new markets.

As noted above, the OAIC has contributed its expertise to these goals by providing guidance on the use of commercially available AI and on training generative AI, and by regulating privacy aspects of existing data access systems such as the Consumer Data Right and My Health Record. The OAIC has also recently published its findings on preliminary inquiries into I-MED’s disclosure of patient data in the training of medical AI systems; by explaining how I-MED appropriately followed privacy regulations, other regulated entities can draw on the findings to also develop and use AI in a compliant manner to increase efficiency in their business practices.¹⁷

The OAIC has identified AI as technology that raises the potential for widening power and information asymmetries between entities and individuals, and for its possible threats to privacy and information access rights.¹⁸ It is critically important that entities maintain community trust and safety through effective privacy practices to fully realise productivity benefits of new technology. The OAIC has also commented on AI-based risks to information access and transparency of government policy and decision making. In situations where AI systems (such as large language models) are used in a way that impacts government policy, services, or decision making, the community expects transparency, accountability and avenues for review when relevant. It is important that explainability and reviewability are not compromised due to the use of the AI.

However, the Australian public is cautious about entities self-regulating on AI-based practices. A total of 96% of respondents to the OAIC’s ACAPS said there should be some conditions in place before AI is used to make decisions that might affect them,¹⁹ while ACCC research found that 83% of Australians believed entities should obtain consent before using personal data to train AI models.²⁰ Globally, there is an overwhelming mandate for AI regulations, with 70% of people believing regulation is necessary and only 43% are satisfied with existing regulations.²¹

The OAIC supports Tranche 2 reforms to the Privacy Act and would welcome a further gap analysis to investigate whether additional privacy protections within the Privacy Act could promote the safe adoption of AI across the Australian economy.

The OAIC would also support measures to ease regulatory burdens on CDR participants by streamlining laws to avoid duplication between primary privacy legislation and bespoke CDR privacy obligations, through the adoption of the Privacy Act as the sole regulatory regime. This may reduce barriers to CDR participation and encourage uptake of CDR for secure data access.

Resourcing education, compliance and enforcement

Changes to enforcement responsibilities due to reforms proposed by the PC should be accompanied by additional regulatory resources. The OAIC supports proposals for additional resources in the interim report. In particular, any implementation of outcomes-based obligations such as a best interest obligation may cause a significant increase in complaints and related dispute resolution, compliance and enforcement activity due to the breadth and ambiguity of a “best interest” in privacy law.

¹ Australian Community Attitudes to Privacy Survey 2023 | OAIC

² Australia's data breach costs hit record AUD $4.26m | IT Brief Australia

³ Notifiable Data Breaches Report: July to December 2024 | OAIC

⁴ Figures reported by IDCARE to the OAIC

⁵ Scam losses decline, but more work to do as Australians lose $2.7 billion | ACCC

⁶ In a 2025 stakeholder survey, 64% believed the OAIC's regulatory activities demonstrate collaboration and engagement, an increase from the previous year.

⁷ See for example: Report into preliminary inquiries of I-MED | OAIC

⁸ Stakeholder Survey Results 2025 | OAIC

⁹ Australian Community Attitudes to Privacy Survey 2023 | OAIC

¹⁰ Liu, Han Wei; Le, Toan; He, Weiping; Duffy, Michael --- "In Whose Best Interests? Regulating Financial Advisers, the Royal Commission and the Dilemma of Reform" [2020] SydLawRw 2; (2020) 42(1) Sydney Law Review 37

¹¹ A financial service must hold an Australian Financial Services license or be an authorised representative of a licensee to provide financial advice. Licensing can involve certain obligations such as training, compliance with guidelines on how advice is given, risk management and other legal obligations. Obligations on regulated entities are designed to ensure that financial advisers are informed on how to best provide advice in a client’s best interest duty in accordance with expectations. See: RG 175 AFS licensing: Financial product advisers—Conduct and disclosure | ASIC.

¹² Privacy Act Review Report | Attorney-General's Department

¹³ Australian Community Attitudes to Privacy Survey 2023 | OAIC

¹⁴ Privacy Act Review Discussion Paper | OAIC

¹⁵ Polling data 2025 results | Reset.Tech Australia

¹⁶ Australian Community Attitudes to Privacy Survey 2023 | OAIC

¹⁷ Report into preliminary inquiries of I-MED | OAIC

¹⁸ OAIC regulatory priorities | OAIC

¹⁹ Australian Community Attitudes to Privacy Survey 2023 | OAIC

²⁰ ACCC DPSI Consumer Survey Research Report, p. 24.

²¹ Trust in AI | Global insights 2025, p. 5.