28 January 2022

Opening Statement by Australian Information Commissioner and Privacy Commissioner Angelene Falk to the House Select Committee on Social Media and Online Safety's Inquiry into Social Media and Online Safety.

Thank you so much for inviting me to appear before the committee for this public hearing and for the opportunity to make this brief opening statement.

The Office of the Australian Information Commissioner recognises and indeed is responding to concern in the community about the privacy harms that can result in the online world, including when they involve children. We also know that in general we need to protect children and all members of the community within the digital world and not from it.

Practices like the detailed profiling of individuals for advertising purposes, a loss of choice and control over the handling of personal information and mass data scraping from social media sites are examples of where privacy harms can occur.

In terms of our role, the OAIC is the independent regulator of the Privacy Act 1988, which provides a framework for the handling of personal information by Australian government agencies and organisations right across the economy that have an annual turnover of more than $3 million, as well as all private health service providers regardless of turnover.

The Privacy Act contains a set of technologically neutral and flexible principles, the Australian Privacy Principles. They outline how organisations are permitted to collect, use and disclose personal information and requirements to keep that information secure. The flexible principles-based nature of the Privacy Act means it is adaptable and able to complement other legislation or regulatory frameworks that deal with related issues.

We work closely with other regulators to share intelligence and collaborate. For example, the Privacy Act operates in tandem with cybersecurity protections and also the new Online Safety Act, which is regulated by the eSafety Commissioner, to protect Australians from online harms.

For example, in a situation where personal data is used to target and personalise the delivery of online content that might be highly offensive, the Privacy Act applies to how personal information is handled by the platform and used in order to target that content, while the Online Safety Act may apply to the content itself.

Privacy and online safety are essential and complementary components in the ring of defence that's being built to address the online harms and risks faced by Australians in this environment, and both frameworks have distinct but complementary roles to play.

Our regulator network can take enforcement action targeting breaches, whether they involve privacy, safety, security or scams, and central to preventing online harms in all of these contexts are requirements to take a proactive approach to design any safeguards upfront.

While the current Privacy Act does apply in the online environment, my view is that greater safeguards for personal information are needed and there are two processes that are underway that no doubt the committee is aware of:

  • Firstly, the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, which was released as an exposure draft last year, proposes to increase the penalties for serious privacy breaches. It aligns them with penalties under consumer law and also provides for the development of an online privacy code to regulate social media and data brokerage services and large online platforms. It will require them to be more transparent about how they handle personal information with more stringent requirements and privacy rules for children.
  • Secondly, there is a more extensive process and that is a full review of the Privacy Act that is underway at present through the Attorney-General's Department. In response to the department's discussion paper my office has made detailed recommendations, which draw on our regulatory experience, about how these potential reforms could operate in practice.

Our recommendations seek to ensure Australia's privacy regime continues to operate effectively for all and promotes innovation and growth by:

  • protecting consumers from individual and collective privacy risks and harms
  • empowering consumers to take control of their personal information through new rights and enhanced transparency requirements
  • enhancing the framework of organisational accountability and personal information handling, and
  • establishing a regulatory framework that supports proactive and targeted regulation, strategic enforcement, efficient and more direct avenues of redress for individuals, and appropriate deterrents against mishandling of personal information, and finally
  • supporting global interoperability and minimising friction to ensure consistency of protection across the economy and to protect personal information wherever it flows.

Thank you, that concludes my opening remarks. I look forward to answering your questions.