Part 9: Enforcement powers under the Privacy Act and role of the OAIC

11 December 2020

9.1 The OAIC’s core purpose is to promote and uphold privacy rights in Australia. Promoting awareness of, and facilitating compliance with, the Privacy Act are two key ways in which the OAIC achieves this purpose and builds a culture of respect for the right to privacy in Australia. As part of this role, the OAIC seeks to use its current regulatory powers effectively and efficiently to secure appropriate outcomes for the Australian community. The OAIC’s visibility, experience and expertise helps to foster confidence that privacy rights will be defended. This confidence is integral to individuals’ trust in the information handling practices of APP entities.

9.2However, the OAIC’s regulatory experience indicates that additional mechanisms to the current privacy regulatory framework are required to ensure that the OAIC can continue to meet community expectations of a contemporary regulator. It is essential that the Privacy Act provides the OAIC with robust enforcement mechanisms that ensure individuals have access to a quick and effective remedies for the protection of their privacy rights and that create incentives for active compliance by APP entities.

9.3This is particularly important in light of the increasing volume of data held by business and government, the global nature of the digital economy, and the breadth of entities regulated by the Privacy Act, from Government to private sector entities across the economy.

9.4Reforms are required to ensure that the regulatory and enforcement framework under the Privacy Act are flexible and able to respond to emerging privacy issues over the coming years.  The OAIC must have the right regulatory tools available to take a pragmatic, proactive and proportionate approach to regulation. This includes enhanced provisions to work cooperatively with international regulators to investigate matters of global concern jointly, using commensurate powers.

9.5This approach requires a shift in emphasis in the current framework to ensure that the Commissioner can carry out their statutory functions in a manner that is appropriate in the digital age. At a high level, this requires the following changes:

• The Commissioner should be provided with more discretion in choosing when to exercise powers to investigate individual complaints to allow the OAIC to identify sectors and acts or practices of concern and prioritise matters accordingly.
• The Commissioner should be provided with enhanced enforcement powers and regulatory tools to effectively deter inappropriate conduct and support privacy best practice.

9.6The OAIC must also be appropriately resourced to properly carry out its statutory functions and use the full suite of regulatory powers effectively, including enforcement through the courts, which can be costly and resource intensive. It is notable that the UK Information Commissioner’s Office, which has investigated and imposed fines in a number of high profile and complex matters, is supported by a large office made possible by the requirement for entities to pay a ‘data protection fee’, supporting the office’s funding.[199]

9.7These recommendations are considered in more detail below.

Snapshot of OAIC’s current framework

9.8The Privacy Act currently confers a range of regulatory powers on the Commissioner, including investigation and enforcement powers. These powers are based on an escalation model. The OAIC considers that the Act’s premise of taking a linear escalation approach to regulation is no longer the most efficient model. Rather, the Privacy Act should provide a flexible tool kit of regulatory options, supported by appropriate powers and enforcement processes. This would enable the OAIC to take the most proportionate and effective action in the circumstances. This is more akin to a risk-based approach to regulation.[200]

9.9The OAIC currently has powers that allow it to work with APP entities to facilitate compliance and promote best privacy practice. These include powers to:

• request an entity, group of entities, body or association to develop an APP code, or the CR code, and apply to the Commissioner for the code to be registered, or for the Commissioner to develop the code and register it (ss 26E(2), 26G, 26P(1) and 26R)
• direct an agency (but not an organisation) to give the Commissioner a privacy impact assessment (PIA) (s 33D)
• monitor, or conduct an assessment of, whether personal information is being maintained and handled by an entity as required by law (ss 28A and 33C)
• direct a regulated entity to notify individuals at risk of serious harm, as well as the Commissioner, about an eligible data breach under Part IIIC of the Privacy Act (s 26WR).

9.10The OAIC’s regulatory powers to investigate or otherwise deal with an alleged interference with privacy include powers to:

• investigate a matter following a complaint (s 40(1)) or on the Commissioner’s own initiative (referred to as a ‘Commissioner initiated investigation’ (CII)) (s 40(2))
• attempt to conciliate a complaint (s 40A)
• decline to investigate, or further investigate, a complaint  in certain, specified circumstances (s 41)
• conduct preliminary inquiries to determine whether or not to open an investigation (s 42)
• require information or a document to be produced, or a person to attend before the Commissioner (ss 44–45)
• refer a complaint to an alternative complaint body specified in s 50
• enter premises and inspect relevant documents by consent or with a warrant (s 68).

9.11Enforcement powers, that range from less serious to more serious regulatory action, include powers to:

• accept an enforceable undertaking (s 33E)
• make a determination (s 52)
• seek an injunction including before, during or after an investigation or the exercise of another regulatory power (s 98)
• apply to the court for a civil penalty order for a breach of a civil penalty provision (s 80W).

9.12 The OAIC exercises these powers as far as possible under the current scheme to select the most appropriate regulatory tool in the circumstances, in order to take a proportionate and risk-based approach to regulation. The OAIC expects that a proportion of the Commissioner’s regulatory activity will need to continue to focus on detection, deterrence, rectification and remedy through the use of regulatory functions such as guidance, advice, monitoring, conciliations, assessments and administrative warnings.

9.13 However, there is a need to take more substantive regulatory and enforcement action on the Commissioner’s own initiative in order to shift the behaviour of regulated entities across sectors, rectify, remedy and provide broader deterrence. This requires sufficient regulatory tools and powers, as well as resources.

9.14The OAIC also considers collaboration to be a key part of its regulatory toolkit. The OAIC is continuing to develop and participate in arrangements that support international cooperation in investigation and the enforcement of privacy and data protection laws, including the APEC Cross-border Privacy Enforcement Arrangement and Global Privacy Enforcement Network. The OAIC has recently opened a joint investigation with the UK ICO.

9.15 Collaboration also includes working with other Australian regulators to ensure the protection of consumers, for example, as co-regulators for the Consumer Data Right.

Addressing the OAIC’s regulatory priorities

9.16The OAIC has identified four areas of privacy regulatory priority for 2020-2021:

• online platforms and social media
• the security of personal information, particularly in the finance and health sectors
• the Consumer Data Right
• COVID-19 personal information handling practices.

9.17 These priorities reflect a focused, targeted approach to privacy regulation, which the OAIC considers is the most effective use of the agency’s resources to derive the greatest benefit for Australians and the regulated community. This involves identifying sectors in government or industry, or recurring acts or practices, where the OAIC believes privacy regulatory action is necessary to have a significant impact on the protection and handling of personal information.

9.18The OAIC takes a whole-of-agency approach to these priority areas, targeting the Commissioner’s proactive policy and assessment functions to drive privacy best practice, as well as focus its investigation (including CII and complaint handling functions) and enforcement powers to deter systemic privacy misconduct where appropriate.

9.19 To enable this approach, however, the Commissioner must have discretion to select the appropriate regulatory tool that best addresses the privacy issues occurring in the particular sector or stemming from the recurring acts or practices, and strike the right balance between these proactive, investigative and enforcement activities and handling individual complaints.

9.20 The OAIC must also have the ability to target its limited resources to the areas of highest risk and need. The OAIC’s complaint-handling function serves as an important deterrent for inappropriate acts or practices and provides redress for individuals. It also serves as an important source of intelligence on emerging privacy issues to help the OAIC determine its regulatory priorities.

9.21 However, the OAIC is currently required to investigate all complaints, at least to the extent required to satisfy itself that a ground to cease investigating exists.[201] This can be resource intensive and limit the ability for the Commissioner to take a targeted or systemic approach to regulation.

9.22 It is important for the OAIC to be able to effectively prioritise matters and direct public funds towards resolving issues that have systemic importance or where more serious misconduct or harms have occurred.

9.23There are several amendments to the Privacy Act that will allow the Commissioner more flexibility in dealing with complaints.

9.24 Under s 40(1), the Commissioner is currently required to investigate all complaints. The OAIC recommends replacing the words ‘shall investigate’ with ‘may investigate’ in this provision. This would give the Commissioner more discretion to investigate or decline complaints to enhance the OAIC’s ability to take a more targeted approach to privacy regulation. It would be more consistent with s 41(1), which sets out the circumstances where the Commissioner does not need to investigate complaints.

9.25 The Explanatory Memorandum could specify that the intention of this change is to clarify that the Commissioner may exercise discretion to investigate based on factors such as the Commissioner’s regulatory policies and priorities and whether the resources needed to investigate a complaint are proportionate to the likely outcome or remedy available.

9.26 An additional amendment to s 41(dc) would also allow the Commissioner to more appropriately deal with complaints. Section 41(dc) allows the Commissioner to decline to investigate, or further investigate, a complaint that is being dealt with by a recognise external dispute resolution scheme (EDR scheme). The OAIC recommends that this ground be extended to instances where a complaint has already been adequately dealt with by an EDR scheme.

9.27The Commissioner must also have discretion to take a risk-based, proportionate approach in selecting the appropriate regulatory tool, having regard to the nature of the entity and the conduct in question. For example, where an investigation is not warranted, greater use could be made of administrative warnings to notify entities that allegations had been made and provide an opportunity to educate through guidance on privacy obligations.[202]

9.28 This is particularly important given the nature of the APPs, which are scalable based on the relevant circumstances, and the wide range of entities that the OAIC regulates, which range from small health providers to large multinational corporations to Australian Government agencies. Different approaches are required to apply this principles-based law to these very different entities, and the privacy framework should facilitate this flexibility.

9.29 This discretion will also be important if the current exemptions in the Privacy Act are removed (see Recommendations 27, 28, 29 and 30).

9.30Additionally, where the OAIC has declined to investigate a complaint, individuals may rely on a direct right of action to seek a remedy in the courts (see Part 10).[203] The Commissioner should also be provided with the appropriate powers to decline to investigate a complaint where it is more appropriately dealt with in the courts, or where the matter is or has been before the court (see Recommendation 53).

Expanding the OAIC’s enforcement mechanisms

9.31The Australian community is increasingly expecting the OAIC to take a more enforcement-focused approach where appropriate. The OAIC considers that such an approach is necessary in order to achieve regulatory objectives of deterrence and rectification on a broad scale.

9.32 Additional enforcement will also benefit regulated entities by creating precedents that will clarify and particularise the principles-based APPs.

9.33 To meet these community expectations, the OAIC considers that the Commissioner’s enforcement mechanisms must be enhanced to provide a credible deterrent against privacy infringements and bring the OAIC into line with comparable domestic and international regulators. As the collection, use or disclosure of personal information is being increasingly monetised, it is also essential that the Commissioner’s enforcement powers are sufficient to reduce the likelihood of APP entities treating breaches of the Privacy Act as a cost of doing business.

9.34 The OAIC recommends the introduction of several amendments discussed below, which will enhance the Commissioner’s enforcement powers and provide more flexible regulatory tools.

9.35 The review should also consider appropriate pecuniary enforcement options. Under the existing framework, the Commissioner has limited pecuniary enforcement options to address interferences with privacy. To address this issue, the OAIC recommends the following reforms:

• Introducing civil penalties for interferences with privacy – The Commissioner can currently only seek civil penalties for the most egregious conduct. Providing the Commissioner with the power to seek civil penalties for interferences with privacy would send a strong message about the importance of privacy compliance while providing the OAIC with the discretion to seek civil penalties where this is the appropriate regulatory tool. Whether an act or practice is serious or repeated would be aggravating factors that would guide the Commissioner’s discretion.
• Empowering the Commissioner to issue public infringement notices for interferences with privacy – Introducing an infringement notice power will complement existing regulatory options and respond to interferences with privacy through cost-efficient deterrence. It will help address the risk that declarations to change acts and practices through a s 52 determination of a Commissioner-initiated investigation lack strength and proportionality when compared with pecuniary options issued by other regulators, domestically and internationally. The quantum of infringement notices would need to be calibrated to ensure it is acts as an adequate deterrent and not a cost of doing business while still providing an incentive for a respondent to avoid going to court. The OAIC recommends the legislation take a tiered approach, fixing the quantum of infringement notices based on the type of APP entity that is the subject of the action.[205]

9.36 These powers would be exercised in accordance with the OAIC’s Regulatory action policy[206] and Guide to privacy regulatory action,[207] as amended, which set out the factors that inform the Commissioner’s discretion when selecting the most appropriate power in the circumstances. This includes the specific and general educational, deterrent or precedential value of the particular privacy regulatory action. This transparent, consistent and proportionate approach to enforcement is similar to comparable domestic[208] and international regulators.[209]

9.37The Commissioner is unlikely to seek civil penalties for minor or inadvertent contraventions, where the responsible entity has cooperated with the investigation and taken steps to avoid future contraventions.[210] There are, however, circumstances where seeking a civil penalty for an interference with privacy will provide the best outcome, having regard to the OAIC’s regulatory action policy.[211] For more (relatively) minor instances of misconduct which nonetheless merit a civil penalty, or where the resources involved in going to court are disproportionate to the potential civil penalty, the OAIC anticipates that an infringement notice would be used to provide a quick and cost-effective deterrent.

9.38 The review should also consider the conduct-orders that are available to the Federal Court. While the Commissioner can make a s 52 determination requiring changes in conduct, they cannot seek these orders from the court in civil penalty procedures. In practice this often means that the Commissioner must choose between seeking financial penalties in the courts or making a s 52 determination for an APP entity to change its conduct.

9.39 The OAIC recommends that the conduct orders available to the Commissioner when making a s 52 determination should be available to the Federal Court when the Commissioner seeks civil penalties.

9.40 Additionally, the orders available to the Commissioner when making a determination under s 52 after investigating a complaint or CII should also be enhanced with the following amendments:

• Order to identify and mitigate foreseeable risks - The loss or damage that may result from an interference with privacy may not be immediately apparent, particularly harms that occur because of a notifiable (eligible) data breach. The Commissioner can make orders to require respondents to perform any reasonable act or course of conduct to redress any loss or damage suffered. This should be enhanced to require respondents to perform any reasonable acts or course of conduct to identify and mitigate any foreseeable loss or damage. This may include requiring an APP entity to monitor whether information the subject of an eligible data breach has been published for sale on the dark web.
• Order to delete personal information - Where the Commissioner finds that an APP entity has collected information inappropriately, the Commissioner does not have an express order for the entity to delete this information. This means that an APP entity may be allowed to retain improperly collected personal information and potentially benefit from this conduct. The Commissioner should have an express power to order that a person or APP entity delete personal information where the Commissioner finds that this information was collected in contravention of the Privacy Act.

9.41The Commissioner’s information gathering powers, set out in Part V of the Privacy Act, are essential to the Commissioner carrying out their functions effectively. These include the power to obtain information and documents, as well as to require attendance at compulsory conferences. Failure to respond to these powers may result in criminal penalties.[212]

9.42 The Commissioner also has access to more extensive powers to seek a warrant to enter a premises without consent. Given the substantial impositions on the rights of APP entities, the Commissioner will only use these powers as an investigative tool in investigations where it is warranted in the circumstances.

9.43 The OAIC considers, however, that these information gathering powers need to be enhanced to ensure they remain effective, allow a case to be developed that will meet evidentiary requirements and are consistent with comparable regulators. Accordingly, the OAIC recommends that the review enhance these powers by introducing the following amendments:

• Infringement notice power – In addition to the infringement notice powers recommended above, the Commissioner should be empowered to issue an infringement notice where a person fails to provide information, answer a question or produce a document or record when this has been required under the Privacy Act. This would be an effective measure to promote greater co-operation with the regulatory activities of the office across both complaint handling and in circumstances where the Commissioner commences an investigation on their own initiative.
• Search and seizure powers – While the Commissioner can seek a warrant to enter a premise under s 68, this only expressly allows the OAIC to inspect the relevant documents. These powers are inadequate and inconsistent with comparable domestic[213] and international regulators.[214] This power should expressly permit the Commissioner to make copies of information and documents specified in the warrant and operate electronic materials to determine whether the kinds of information and documents specified in the warrant are accessible.
• Prevent the destruction of evidence – The Commissioner should have the power to seek a warrant to preserve or secure information and documents where there is a possibility that a person may destroy such materials or cause it them be unavailable for use in an investigation.[215] It should also be an express offence to destroy evidence that may be reasonably required by the Commissioner.
  • There are several examples of where further information gathering powers would promote co-operation with the Commissioner’s investigative and complaint-handling processes:
  • A complainant sought health information from an APP entity under APP 12. The APP entity refused to provide this information to the OAIC, even after receiving a notice under s 44 of the Privacy Act, which caused undue delay in handling the complaint.[216]
  • Data protection authorities internationally have entered entities’ premises to seize evidence, particularly in circumstances where there was concern that evidence would be destroyed.[217]
  • While making preliminary inquiries into a potential breach of the Privacy Act, it became apparent that relevant evidence was held by a subcontractor who was also a small business operator exempt from the Act. In the course of the investigation, the subcontractor started deleting the relevant information. This impacted the ability to gather necessary evidence into the potential contravention by the regulated entity and delayed the preliminary inquiries.