2 May 2022
Keynote address by Australian Information Commissioner and Privacy Commissioner Angelene Falk to launch Privacy Awareness Week 2022.
Good morning, I’m Angelene Falk, Australian Information Commissioner and Privacy Commissioner.
I would like to begin by acknowledging the Gadigal people of the Eora Nation, the traditional custodians of the land from which I join you today.
I pay my respects to Elders past, present and emerging, and I extend that respect to Aboriginal and Torres Strait Islander peoples present.
Welcome to Privacy Awareness Week!
Privacy Awareness Week is a time each year when the Office of the Australian Information Commissioner comes together with privacy regulators around Australia, government agencies and private sector organisations, to shine a spotlight on the importance of protecting personal information.
This year we are highlighting privacy as the foundation of trust.
We’ve seen during the pandemic how crucial trust is in the handling of personal information, and how strong privacy protections support public health outcomes.
And, as the digital economy continues to grow, as organisations consider new ways of handling personal information, and the community engages further in the online world, it’s clear that trust plays a fundamental role in determining whether these initiatives are a success.
According to our 2020 community attitudes to privacy survey, trust in organisations and agencies with respect to their personal information handling practices is down by 13% and 14% respectively since 2007.
Australians trust health service providers, federal government departments and financial institutions the most with their personal information, and the social media industry, apps and search engines the least.
The latest Edelman Trust Barometer found that 55% of Australians said their default tendency is to distrust something until they see evidence it is trustworthy.
Other surveys suggest negative experiences have a substantial impact on trust and our willingness to engage with organisations and their products and services. By way of example, 45% of respondents to a recent global survey said they stopped, or would stop, using a company’s services if they knew it had suffered a serious data breach.
There is work to do together so that the public can trust organisations to protect and handle their personal information responsibly; transparently, accountably, and in ways the community would regard as fair and reasonable.
Our Privacy Awareness Week campaign this year highlights the building blocks that can bring about a strong foundation.
For individuals, a strong privacy foundation starts with valuing our personal information. Our personal information goes to the foundations of who we are – it is worth protecting.
Our research shows Australians want to be protected against harmful practices, they want more control and choice over the use of their personal information, and increased rights, such as asking businesses to delete their personal information. We also know privacy is growing as a material factor in purchasing decisions, alongside the traditional factors of quality, convenience and price.
So, for organisations and government agencies, putting the individual at the centre of your personal information handling practices when designing new products, services, policies and programs will help the community to trust and engage with you.
A strong privacy foundation starts with knowing your privacy obligations and the community’s expectations.
It means taking a privacy by design approach, embedding good privacy practices, right from the start.
As important as it is to get the foundations right, our privacy platforms need ongoing upgrades.
This is especially important as our world is rapidly transformed by innovations in technology, with our personal information now a major fuel source of the digital economy and being used in ways that were beyond our imagination just years ago.
We are seeing many leading organisations focus not only on what harms good privacy practices can prevent, but what privacy can enable.
If the right foundations are in place, you will have the ability to increase the focus on your organisation’s unique qualities and make privacy part of your competitive advantage – and the community will respond.
And for our government agencies audience, good privacy practices will help to uplift your department or agency’s standing as a trusted custodian of Australians’ personal information and build confidence in your work.
To unpack these issues, I’m delighted to have here with me today 3 distinguished guest speakers:
- Jane Horvath, Chief Privacy Officer at Apple
- Rebecca Skinner, the CEO of Services Australia
- and Erin Turner, the CEO of the Consumer Policy Research Centre.
Jane, Rebecca and Erin will join me soon to explore the importance of trust in personal information handling from the perspective of business, a government agency, and the consumer, and how that trust is developed and sustained in complex environments.
But first, I’ll outline some of the work of the OAIC to build privacy foundations that create trust, now and into the future.
The OAIC’s vision for privacy is to increase public trust and confidence in the protection of personal information.
Our goal is to shift the environment so that individuals are protected from harm, offered fair privacy choices and have a greater degree of choice and control, and that entities are incentivised to build the systems that proactively address privacy risks.
Our regulatory activities are aimed at preventing and addressing privacy harms, including those emerging online.
Today I will share more about two of our strategic focus areas; areas where we’ve identified significant potential for harm.
The first is online platforms, social media and high privacy impact technologies.
Our priorities in this area include technologies and business practices that record, monitor and track.
We are also focused on practices of online platforms and services that limit individuals’ choice and control, such as default settings, consent and security.
And we are taking regulatory action that seeks to hold businesses to account.
That includes our Federal Court action against US-based Facebook Inc and Facebook Ireland.
And I have recently made three determinations under this priority involving 7-Eleven, Clearview AI Inc and the Australian Federal Police. Collectively they address the use of facial recognition technology, whether the collection of personal information was necessary and fair, and failures around privacy governance.
These determinations should put other organisations on notice about their responsibilities under the Privacy Act for new and emerging high privacy impact technologies. These technologies must be used responsibly in the public interest, without creating privacy risks and harms.
The second area is regulatory action that supports the security of personal information.
The Notifiable Data Breaches scheme and other requirements under the Privacy Act to secure personal information are essential parts of the ring of defence to protect Australian organisations and individuals, especially in the online environment.
The Notifiable Data Breaches scheme has now been in effect for over 4 years and in that time, the scheme has ensured that individuals placed at risk of serious harm from over 3,500 data breaches have been made aware of the breach and provided with practical guidance on mitigating the risk of harm.
The scheme strengthens the protections afforded to everyone’s personal information and has improved transparency and accountability in the way organisations prevent and respond to serious breaches.
It is now a mature model, and you can expect to see more regulatory action that’s focused on entities that aren’t complying with the notification requirements, or where there’s a significant failure to protect personal information, particularly where we’ve called out the risks.
As our guests today demonstrate, privacy can cross many industry divides and geographic locations.
New legislative developments overseas demonstrate a trend towards increasing regulatory intersection.
For example, the provisionally agreed Digital Markets Act and Digital Services Act in the EU will introduce requirements aimed at addressing the market power of dominant platforms that act as gatekeepers online and to create safer online environments, some of which impact the handling of personal information online.
As regulators we need to act in concert to achieve the most effective outcomes in the public interest.
To support a streamlined and cohesive approach to the regulation of digital platforms, the OAIC, ACMA, the ACCC and eSafety formed the Digital Platform Regulators Forum.
This forum is an initiative to share information and collaborate on cross-cutting issues and activities on the regulation of digital platforms. This includes consideration of how competition, consumer protection, privacy, online safety and data issues intersect.
The OAIC is also active in international engagement to shape global approaches to tech regulation.
Globally interoperable data protection regulation is increasingly important to ensure that the personal information of Australians is protected, wherever it flows.
Our recent determination on Clearview AI Inc is an example of international collaboration.
It followed a joint investigation between the OAIC and the Information Commissioner’s Office in the United Kingdom, which also built on a Resolution on Facial Recognition Technology presented by our offices at a Global Privacy Assembly’s conference.
The benefits of international collaboration include efficiency, greater alignment in international interpretation of privacy principles, and benefits to the community and regulated entities through enhanced coordination.
Looking forward, we expect to see more convergence of regulatory approaches to achieve the best outcomes for individuals. Indeed, it now takes a network of regulators, domestically and internationally, to regulate data and personal information in the digital environment.
At the same time, organisations and agencies have a critical proactive role to play, in embedding privacy into products and services, programs and policies, without prodding from my office.
A key part of this is supporting individuals to manage their privacy through being accountable and transparent, and handling personal information you’re entrusted with in ways the community would regard as fair and reasonable.
Often the community expects more from organisations and government agencies than is required by the current Privacy Act.
By making privacy an organisational priority, you will be able to innovate with confidence and strengthen your relationship with your community, building trust and confidence along the way.
And there we come back to the core message of Privacy Awareness Week this year – making privacy the foundation of trust.