11 December 2020
53. Is the current enforcement framework for interferences with privacy working effectively?
54. Does the current enforcement approach achieve the right balance between conciliating complaints, investigating systemic issues, and taking punitive action for serious non-compliance?
55. Are the remedies available to the Commissioner sufficient or do the enforcement mechanisms available to the Commissioner require expansion?
a. If so, what should these enforcement mechanisms look like?
9.1 The OAIC’s core purpose is to promote and uphold privacy rights in Australia. Promoting awareness of, and facilitating compliance with, the Privacy Act are two key ways in which the OAIC achieves this purpose and builds a culture of respect for the right to privacy in Australia. As part of this role, the OAIC seeks to use its current regulatory powers effectively and efficiently to secure appropriate outcomes for the Australian community. The OAIC’s visibility, experience and expertise helps to foster confidence that privacy rights will be defended. This confidence is integral to individuals’ trust in the information handling practices of APP entities.
9.2However, the OAIC’s regulatory experience indicates that additional mechanisms to the current privacy regulatory framework are required to ensure that the OAIC can continue to meet community expectations of a contemporary regulator. It is essential that the Privacy Act provides the OAIC with robust enforcement mechanisms that ensure individuals have access to a quick and effective remedies for the protection of their privacy rights and that create incentives for active compliance by APP entities.
9.3This is particularly important in light of the increasing volume of data held by business and government, the global nature of the digital economy, and the breadth of entities regulated by the Privacy Act, from Government to private sector entities across the economy.
9.4Reforms are required to ensure that the regulatory and enforcement framework under the Privacy Act are flexible and able to respond to emerging privacy issues over the coming years. The OAIC must have the right regulatory tools available to take a pragmatic, proactive and proportionate approach to regulation. This includes enhanced provisions to work cooperatively with international regulators to investigate matters of global concern jointly, using commensurate powers.
9.5This approach requires a shift in emphasis in the current framework to ensure that the Commissioner can carry out their statutory functions in a manner that is appropriate in the digital age. At a high level, this requires the following changes:
- The Commissioner should be provided with more discretion in choosing when to exercise powers to investigate individual complaints to allow the OAIC to identify sectors and acts or practices of concern and prioritise matters accordingly.
- The Commissioner should be provided with enhanced enforcement powers and regulatory tools to effectively deter inappropriate conduct and support privacy best practice.
9.6The OAIC must also be appropriately resourced to properly carry out its statutory functions and use the full suite of regulatory powers effectively, including enforcement through the courts, which can be costly and resource intensive. It is notable that the UK Information Commissioner’s Office, which has investigated and imposed fines in a number of high profile and complex matters, is supported by a large office made possible by the requirement for entities to pay a ‘data protection fee’, supporting the office’s funding.
9.7These recommendations are considered in more detail below.
Snapshot of OAIC’s current framework
9.8The Privacy Act currently confers a range of regulatory powers on the Commissioner, including investigation and enforcement powers. These powers are based on an escalation model. The OAIC considers that the Act’s premise of taking a linear escalation approach to regulation is no longer the most efficient model. Rather, the Privacy Act should provide a flexible tool kit of regulatory options, supported by appropriate powers and enforcement processes. This would enable the OAIC to take the most proportionate and effective action in the circumstances. This is more akin to a risk-based approach to regulation.
9.9The OAIC currently has powers that allow it to work with APP entities to facilitate compliance and promote best privacy practice. These include powers to:
- request an entity, group of entities, body or association to develop an APP code, or the CR code, and apply to the Commissioner for the code to be registered, or for the Commissioner to develop the code and register it (ss 26E(2), 26G, 26P(1) and 26R)
- direct an agency (but not an organisation) to give the Commissioner a privacy impact assessment (PIA) (s 33D)
- monitor, or conduct an assessment of, whether personal information is being maintained and handled by an entity as required by law (ss 28A and 33C)
- direct a regulated entity to notify individuals at risk of serious harm, as well as the Commissioner, about an eligible data breach under Part IIIC of the Privacy Act (s 26WR).
9.10The OAIC’s regulatory powers to investigate or otherwise deal with an alleged interference with privacy include powers to:
- investigate a matter following a complaint (s 40(1)) or on the Commissioner’s own initiative (referred to as a ‘Commissioner initiated investigation’ (CII)) (s 40(2))
- attempt to conciliate a complaint (s 40A)
- decline to investigate, or further investigate, a complaint in certain, specified circumstances (s 41)
- conduct preliminary inquiries to determine whether or not to open an investigation (s 42)
- require information or a document to be produced, or a person to attend before the Commissioner (ss 44–45)
- refer a complaint to an alternative complaint body specified in s 50
- enter premises and inspect relevant documents by consent or with a warrant (s 68).
9.11Enforcement powers, that range from less serious to more serious regulatory action, include powers to:
- accept an enforceable undertaking (s 33E)
- make a determination (s 52)
- seek an injunction including before, during or after an investigation or the exercise of another regulatory power (s 98)
- apply to the court for a civil penalty order for a breach of a civil penalty provision (s 80W).
9.12 The OAIC exercises these powers as far as possible under the current scheme to select the most appropriate regulatory tool in the circumstances, in order to take a proportionate and risk-based approach to regulation. The OAIC expects that a proportion of the Commissioner’s regulatory activity will need to continue to focus on detection, deterrence, rectification and remedy through the use of regulatory functions such as guidance, advice, monitoring, conciliations, assessments and administrative warnings.
9.13 However, there is a need to take more substantive regulatory and enforcement action on the Commissioner’s own initiative in order to shift the behaviour of regulated entities across sectors, rectify, remedy and provide broader deterrence. This requires sufficient regulatory tools and powers, as well as resources.
9.14The OAIC also considers collaboration to be a key part of its regulatory toolkit. The OAIC is continuing to develop and participate in arrangements that support international cooperation in investigation and the enforcement of privacy and data protection laws, including the APEC Cross-border Privacy Enforcement Arrangement and Global Privacy Enforcement Network. The OAIC has recently opened a joint investigation with the UK ICO.
9.15 Collaboration also includes working with other Australian regulators to ensure the protection of consumers, for example, as co-regulators for the Consumer Data Right.
The OAIC is experiencing sustained activity across our regulatory functions, which can be attributed to changes in the regulatory environment, the data practices of entities, and a growing desire of the community to protect their privacy rights:
- An increasing focus on addressing systemic privacy acts/practices, particularly in the online space, through CIIs. During the 2019-2020 reporting period, the OAIC commenced 27% more privacy CIIs and finalised 200% more privacy CIIs than the previous financial year.
- Complaints received have generally increased year on year (2018-19: 12.1% increase; 2017–18: 18% increase; 2016–17: 17% increase) with the exception of 2019-2020 (a decrease of 20%), which is likely due to the COVID-19 pandemic.
- Rising numbers of data breaches being reported to the OAIC since the introduction of the NDB scheme, with 2019-20 seeing an increase of 11% in the number of notifications compared to 2018-2019 (as well as a 733% increase in data breach notifications after reporting became mandatory).
Addressing the OAIC’s regulatory priorities
9.16The OAIC has identified four areas of privacy regulatory priority for 2020-2021:
- online platforms and social media
- the security of personal information, particularly in the finance and health sectors
- the Consumer Data Right
- COVID-19 personal information handling practices.
9.17 These priorities reflect a focused, targeted approach to privacy regulation, which the OAIC considers is the most effective use of the agency’s resources to derive the greatest benefit for Australians and the regulated community. This involves identifying sectors in government or industry, or recurring acts or practices, where the OAIC believes privacy regulatory action is necessary to have a significant impact on the protection and handling of personal information.
9.18The OAIC takes a whole-of-agency approach to these priority areas, targeting the Commissioner’s proactive policy and assessment functions to drive privacy best practice, as well as focus its investigation (including CII and complaint handling functions) and enforcement powers to deter systemic privacy misconduct where appropriate.
9.19 To enable this approach, however, the Commissioner must have discretion to select the appropriate regulatory tool that best addresses the privacy issues occurring in the particular sector or stemming from the recurring acts or practices, and strike the right balance between these proactive, investigative and enforcement activities and handling individual complaints.
9.20 The OAIC must also have the ability to target its limited resources to the areas of highest risk and need. The OAIC’s complaint-handling function serves as an important deterrent for inappropriate acts or practices and provides redress for individuals. It also serves as an important source of intelligence on emerging privacy issues to help the OAIC determine its regulatory priorities.
9.21 However, the OAIC is currently required to investigate all complaints, at least to the extent required to satisfy itself that a ground to cease investigating exists. This can be resource intensive and limit the ability for the Commissioner to take a targeted or systemic approach to regulation.
9.22 It is important for the OAIC to be able to effectively prioritise matters and direct public funds towards resolving issues that have systemic importance or where more serious misconduct or harms have occurred.
9.23There are several amendments to the Privacy Act that will allow the Commissioner more flexibility in dealing with complaints.
9.24 Under s 40(1), the Commissioner is currently required to investigate all complaints. The OAIC recommends replacing the words ‘shall investigate’ with ‘may investigate’ in this provision. This would give the Commissioner more discretion to investigate or decline complaints to enhance the OAIC’s ability to take a more targeted approach to privacy regulation. It would be more consistent with s 41(1), which sets out the circumstances where the Commissioner does not need to investigate complaints.
9.25 The Explanatory Memorandum could specify that the intention of this change is to clarify that the Commissioner may exercise discretion to investigate based on factors such as the Commissioner’s regulatory policies and priorities and whether the resources needed to investigate a complaint are proportionate to the likely outcome or remedy available.
9.26 An additional amendment to s 41(dc) would also allow the Commissioner to more appropriately deal with complaints. Section 41(dc) allows the Commissioner to decline to investigate, or further investigate, a complaint that is being dealt with by a recognise external dispute resolution scheme (EDR scheme). The OAIC recommends that this ground be extended to instances where a complaint has already been adequately dealt with by an EDR scheme.
9.27The Commissioner must also have discretion to take a risk-based, proportionate approach in selecting the appropriate regulatory tool, having regard to the nature of the entity and the conduct in question. For example, where an investigation is not warranted, greater use could be made of administrative warnings to notify entities that allegations had been made and provide an opportunity to educate through guidance on privacy obligations.
9.28 This is particularly important given the nature of the APPs, which are scalable based on the relevant circumstances, and the wide range of entities that the OAIC regulates, which range from small health providers to large multinational corporations to Australian Government agencies. Different approaches are required to apply this principles-based law to these very different entities, and the privacy framework should facilitate this flexibility.
9.29 This discretion will also be important if the current exemptions in the Privacy Act are removed (see Recommendations 27, 28, 29 and 30).
9.30Additionally, where the OAIC has declined to investigate a complaint, individuals may rely on a direct right of action to seek a remedy in the courts (see Part 10). The Commissioner should also be provided with the appropriate powers to decline to investigate a complaint where it is more appropriately dealt with in the courts, or where the matter is or has been before the court (see Recommendation 53).
Recommendation 48 Amend s 40(1) to replace the words ‘shall investigate’ with ‘may investigate’ and clarify in the Explanatory Memorandum that this change is to allow the Commissioner to exercise discretion to investigate based on factors such as the Commissioner’s regulatory policies and priorities, whether the resources needed to investigate a complaint are proportionate to the likely outcome or remedy available and whether the substance of the complaint is about matters that fall under the Privacy Act.
Recommendation 49 Expand s 41(dc) to instances where a complaint has already been adequately dealt with by an EDR scheme.
Expanding the OAIC’s enforcement mechanisms
9.31The Australian community is increasingly expecting the OAIC to take a more enforcement-focused approach where appropriate. The OAIC considers that such an approach is necessary in order to achieve regulatory objectives of deterrence and rectification on a broad scale.
The vast majority (83%) of Australians are wanting the government to do more to protect the privacy of their data. This includes being protected against harmful practices, with 84% believing personal information should not be used in ways that cause harm, loss or distress. 
9.32 Additional enforcement will also benefit regulated entities by creating precedents that will clarify and particularise the principles-based APPs.
9.33 To meet these community expectations, the OAIC considers that the Commissioner’s enforcement mechanisms must be enhanced to provide a credible deterrent against privacy infringements and bring the OAIC into line with comparable domestic and international regulators. As the collection, use or disclosure of personal information is being increasingly monetised, it is also essential that the Commissioner’s enforcement powers are sufficient to reduce the likelihood of APP entities treating breaches of the Privacy Act as a cost of doing business.
9.34 The OAIC recommends the introduction of several amendments discussed below, which will enhance the Commissioner’s enforcement powers and provide more flexible regulatory tools.
9.35 The review should also consider appropriate pecuniary enforcement options. Under the existing framework, the Commissioner has limited pecuniary enforcement options to address interferences with privacy. To address this issue, the OAIC recommends the following reforms:
- Introducing civil penalties for interferences with privacy – The Commissioner can currently only seek civil penalties for the most egregious conduct. Providing the Commissioner with the power to seek civil penalties for interferences with privacy would send a strong message about the importance of privacy compliance while providing the OAIC with the discretion to seek civil penalties where this is the appropriate regulatory tool. Whether an act or practice is serious or repeated would be aggravating factors that would guide the Commissioner’s discretion.
- Empowering the Commissioner to issue public infringement notices for interferences with privacy – Introducing an infringement notice power will complement existing regulatory options and respond to interferences with privacy through cost-efficient deterrence. It will help address the risk that declarations to change acts and practices through a s 52 determination of a Commissioner-initiated investigation lack strength and proportionality when compared with pecuniary options issued by other regulators, domestically and internationally. The quantum of infringement notices would need to be calibrated to ensure it is acts as an adequate deterrent and not a cost of doing business while still providing an incentive for a respondent to avoid going to court. The OAIC recommends the legislation take a tiered approach, fixing the quantum of infringement notices based on the type of APP entity that is the subject of the action.
9.36 These powers would be exercised in accordance with the OAIC’s Regulatory action policy and Guide to privacy regulatory action, as amended, which set out the factors that inform the Commissioner’s discretion when selecting the most appropriate power in the circumstances. This includes the specific and general educational, deterrent or precedential value of the particular privacy regulatory action. This transparent, consistent and proportionate approach to enforcement is similar to comparable domestic and international regulators.
9.37The Commissioner is unlikely to seek civil penalties for minor or inadvertent contraventions, where the responsible entity has cooperated with the investigation and taken steps to avoid future contraventions. There are, however, circumstances where seeking a civil penalty for an interference with privacy will provide the best outcome, having regard to the OAIC’s regulatory action policy. For more (relatively) minor instances of misconduct which nonetheless merit a civil penalty, or where the resources involved in going to court are disproportionate to the potential civil penalty, the OAIC anticipates that an infringement notice would be used to provide a quick and cost-effective deterrent.
There are several situations where seeking a civil penalty for an interference with privacy or issuing an infringement notices may be appropriate for conduct that may not meet the s 13G threshold. While each situation will be assessed on its merits, these circumstances could include:
- An eligible data breach involving a very large data set of personal (but not sensitive) information.
- An entity mishandling personal information where unjustified adverse impacts flowing to individuals due to the breach cannot be established because of poor record keeping by a respondent.
- Some instances where an APP entity has failed to notify individuals of an eligible data breach as soon as is practicable in accordance with s 26WL.
9.38 The review should also consider the conduct-orders that are available to the Federal Court. While the Commissioner can make a s 52 determination requiring changes in conduct, they cannot seek these orders from the court in civil penalty procedures. In practice this often means that the Commissioner must choose between seeking financial penalties in the courts or making a s 52 determination for an APP entity to change its conduct.
9.39 The OAIC recommends that the conduct orders available to the Commissioner when making a s 52 determination should be available to the Federal Court when the Commissioner seeks civil penalties.
9.40 Additionally, the orders available to the Commissioner when making a determination under s 52 after investigating a complaint or CII should also be enhanced with the following amendments:
- Order to identify and mitigate foreseeable risks - The loss or damage that may result from an interference with privacy may not be immediately apparent, particularly harms that occur because of a notifiable (eligible) data breach. The Commissioner can make orders to require respondents to perform any reasonable act or course of conduct to redress any loss or damage suffered. This should be enhanced to require respondents to perform any reasonable acts or course of conduct to identify and mitigate any foreseeable loss or damage. This may include requiring an APP entity to monitor whether information the subject of an eligible data breach has been published for sale on the dark web.
- Order to delete personal information - Where the Commissioner finds that an APP entity has collected information inappropriately, the Commissioner does not have an express order for the entity to delete this information. This means that an APP entity may be allowed to retain improperly collected personal information and potentially benefit from this conduct. The Commissioner should have an express power to order that a person or APP entity delete personal information where the Commissioner finds that this information was collected in contravention of the Privacy Act.
9.41The Commissioner’s information gathering powers, set out in Part V of the Privacy Act, are essential to the Commissioner carrying out their functions effectively. These include the power to obtain information and documents, as well as to require attendance at compulsory conferences. Failure to respond to these powers may result in criminal penalties.
9.42 The Commissioner also has access to more extensive powers to seek a warrant to enter a premises without consent. Given the substantial impositions on the rights of APP entities, the Commissioner will only use these powers as an investigative tool in investigations where it is warranted in the circumstances.
9.43 The OAIC considers, however, that these information gathering powers need to be enhanced to ensure they remain effective, allow a case to be developed that will meet evidentiary requirements and are consistent with comparable regulators. Accordingly, the OAIC recommends that the review enhance these powers by introducing the following amendments:
- Infringement notice power – In addition to the infringement notice powers recommended above, the Commissioner should be empowered to issue an infringement notice where a person fails to provide information, answer a question or produce a document or record when this has been required under the Privacy Act. This would be an effective measure to promote greater co-operation with the regulatory activities of the office across both complaint handling and in circumstances where the Commissioner commences an investigation on their own initiative.
- Search and seizure powers – While the Commissioner can seek a warrant to enter a premise under s 68, this only expressly allows the OAIC to inspect the relevant documents. These powers are inadequate and inconsistent with comparable domestic and international regulators. This power should expressly permit the Commissioner to make copies of information and documents specified in the warrant and operate electronic materials to determine whether the kinds of information and documents specified in the warrant are accessible.
- Prevent the destruction of evidence – The Commissioner should have the power to seek a warrant to preserve or secure information and documents where there is a possibility that a person may destroy such materials or cause it them be unavailable for use in an investigation. It should also be an express offence to destroy evidence that may be reasonably required by the Commissioner.
- There are several examples of where further information gathering powers would promote co-operation with the Commissioner’s investigative and complaint-handling processes:
- A complainant sought health information from an APP entity under APP 12. The APP entity refused to provide this information to the OAIC, even after receiving a notice under s 44 of the Privacy Act, which caused undue delay in handling the complaint.
- Data protection authorities internationally have entered entities’ premises to seize evidence, particularly in circumstances where there was concern that evidence would be destroyed.
- While making preliminary inquiries into a potential breach of the Privacy Act, it became apparent that relevant evidence was held by a subcontractor who was also a small business operator exempt from the Act. In the course of the investigation, the subcontractor started deleting the relevant information. This impacted the ability to gather necessary evidence into the potential contravention by the regulated entity and delayed the preliminary inquiries.
Recommendation 50 Introduce the following amendments to the enforcement mechanisms under the Privacy Act:
- empower the Commissioner to issue infringement notices for interferences with privacy and where a person fails to give information to the Commissioner when this has been required under the Privacy Act
- introduce civil penalties for interferences with privacy
- provide the Federal Court with the power to make the conduct orders which are available to the Commissioner through a s 52 determination
- allowing the Commissioner to make order in a s52 determination requiring respondents identify and mitigate foreseeable risks or delete personal information
- enhance the Commissioner’s search and seizure powers to allow the OAIC to make copies of information and documents specified in the warrant and operate electronic materials to determine whether the kinds of information and documents specified in the warrant are accessible
- empower the Commissioner to seek a warrant to preserve and secure relevant information and documents.
 For more details, see Sparrow, M. (2008). The Character of Harms: Operational Challenges in Control. Cambridge: Cambridge University Press.
 Privacy Act, s 40(1) and s 41.
 Australian Communications and Media Authority (2020), Spam compliance alerts [Online document], ACMA website, accessed 11 November 2020 and Australian Communications and Media Authority (2020), Telemarketing compliance alerts [online document], ACMA website, accessed 11 November 2020
 The relationship between a complaint handling function and a direct right of action was recently explained in the Office of the Privacy Commissioner of Canada (2019) 2018-2019 Annual Report to Parliament on the Privacy Act [online document], OPCC website, accessed 25 November 2020:
Currently, the Commissioner does not have the power or authority to refuse or discontinue complaints under the Privacy Act, though he does under PIPEDA in certain defined circumstances. We have recommended to Parliament that the law should provide our Office with the ability to choose which complaints to investigate, in order to focus our limited resources on issues that pose the highest risk or may have the greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, a modernized law must also give individuals a private right of action for violations to ensure they can pursue recourse.
Our Office, like many of our privacy and data protection counterparts, upholds several mandates with finite resources. Where our Office does not proceed with an investigation of a complaint, individuals should have the right to seek judicial redress on their own accord. This would help ensure that individuals’ rights are respected and they are not left without a remedy. This right exists in the GDPR and is being considered elsewhere. For example, the New York privacy act that was before the State Senate Consumer Protection Committee at the time of drafting this report seeks to provide individuals with the right, among others, to sue companies directly over privacy violations.
 See OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, p. 8
 See for example the ACCC’s Guideline on the use of infringement notices which states that the value of infringement notices will vary based on whether the subject is an individual, corporation or listed corporation.
 See for example chapters on Compliance and enforcement strategy and Priority factors ACCC (n.d.) Compliance & enforcement policy & priorities [online document], ACCC website, accessed on 11 November 2020 and ACCC (July 2020), Infringement Notices: Guideline on the use of infringement notices by the Australian Competition and Consumer Commission, ACCC, Australian Government p. 3-5; In relation to ASIC, see discussion of infringement notices and how ASIC decides which enforcement tools to use in ASIC (n.d.) Information Sheet 151: ASIC’s approach to enforcement, ASIC, Australian Government p. 4-9; See ACMA’s compliance and enforcement approach in ACMA (n.d.) Compliance and enforcement policy [online document], ACMA website, accessed on 11 November 2020 and ACMA (2019) Regulatory guide No. 5 – Infringement Notices, ACMA, Australian Government, p. 3-4
 For example, UK ICO (n.d) Regulatory Action Policy, which sets out its objectives for regulatory action (p. 6-7) and relevant factors when selecting the appropriate regulatory action including the nature and seriousness of the breach, the types of information affected and the level of privacy intrusion, whether the incident raises new issues and the public interest in regulatory action being taken (10-13).
 Privacy Act, s66
 See for example the ACCC has powers to apply for warrants to enter and search premises, make copies of evidence specified in the warrant and operate electronic materials to see whether the kind of evidential material specified in the warrant is accessible (Competition and Consumer Act 2010, s154A and 154G). ASIC has similar powers under the Corporations Act 2001(see for example s530C), the Australian Securities and Investment Commission Act 2001 (see for example s37) and the Crimes Act 1914 (see Division 2 of Part IAA).
 See for example the UK ICO’s search and seizure powers under schedule 15 of the Data Protection Act 2018.
 This power could be modelled on r7.43 of the Federal Court Rules 2011 (Cth) or s 530C of the Corporations Act 2001 (Cth).
 For example, see recent privacy determinations by the Commissioner: 'VU' and 'VV', 'VW' (Privacy)  AICmr 52 (14 September 2020), 'VJ', 'VK', 'VL' and 'VM' (Privacy)  AICmr 45 (2 September 2020) and 'VN' and 'VM' (Privacy)  AICmr 46 (2 September 2020)
 See for example UK ICO (2018) Investigation into the use of data analytics in political campaigns [online document], UK ICO, United Kingdom Government, p. 33