14 December 2020

Australia needs a strong, fair and flexible privacy framework that prevents harm, protects fundamental human rights and builds public trust to support a successful economy, the national privacy regulator said today.

In a submission to the Australian Government’s review of the Privacy Act 1988, the Office of the Australian Information Commissioner (OAIC) said changes are needed to ensure privacy protections remain consistent with the values of Australians.

“The Privacy Act is a well-established framework that is principles-based, technologically neutral and flexible,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“However, the external landscape has changed significantly in recent years, and our research shows declining levels of community trust in how organisations handle personal information.

“Australians want more done to protect their privacy in the face of ongoing and emerging threats.”

Commissioner Falk said addressing these issues through the review is essential for the proper functioning of a data-driven economy.

“The community has a clear interest in organisations and government using data responsibly to innovate and provide services, but at the same time their personal information needs to be handled reasonably and fairly,” she said.

“Strong data protection and privacy rights are a precondition for consumer confidence and economic growth, and effective and proportionate privacy regulation is essential to achieving these mutual benefits.

"When regulated entities have a clear framework that sets out their personal information handling responsibilities, they will be able to operate and innovate with confidence.

“Equally, when Australians have clear privacy rights and trust that their personal information is protected, they will feel confident to engage in the data-driven economy and to access services.

The OAIC’s submission on the Privacy Act recommends:

  • greater emphasis on the protection of individuals and the obligations on entities to ensure business models and practices safeguard privacy
  • the introduction of fairness and reasonableness standards for the collection, use and disclosure of personal information
  • stronger organisational accountabilities for entities, with an onus on organisations to understand the risks that they create for others, and to mitigate those risks up front
  • the removal of exemptions for employee records and acts and practices by small business operators and political parties
  • that individuals should have a direct right to bring actions in the courts against organisations covered by the Privacy Act to seek compensation
  • the introduction of a statutory tort that can respond to a wide range of serious invasions of privacy.

Commissioner Falk said strengthening notice and consent requirements – and addressing their limitations – should be a central consideration in the review.

“Obtaining individual consent for the use of personal information is important, but it is not the answer in every circumstance,” she said.

“Australians should be able to expect that safe practices are in place, without having to read lengthy and complex notices on a take-it-or-leave-it basis.

“Consent should be kept for where it really matters and is meaningful, so it doesn’t turn into a tick-box exercise which detracts from its value in higher-risk situations.”

The OAIC submission also recommends reforms that ensure the OAIC can take proportionate regulatory action and meet community expectations through broadening the jurisdiction of the courts to hear privacy matters, strengthening compulsive powers of the Commissioner and allowing the Commissioner to issue infringement notices.

Additional enforcement powers would enhance the regulator’s ability to focus on issues of greatest risk to privacy, investigate potential breaches of the Privacy Act, deter inappropriate conduct and support privacy best practice.

“These changes are needed to help us effectively regulate new and emerging risks posed by personal information handling practices in the global digital environment,” Commissioner Falk said.

For more information, visit the Attorney-General Department's Review of the Privacy Act 1988