Privacy Awareness Week 2023 launch

Check against delivery

Good morning and welcome to Privacy Awareness Week 2023.

It's wonderful to be here and thank you very much to Antony Shaw the CEO of HSBC for providing this wonderful venue, and to Trevor Hughes for the work that IAPP does in Australia and New Zealand to bring knowledge to practitioners each and every day.

I would like to begin by acknowledging the Gadigal people of the Eora Nation, the traditional custodians of the land from which I join you. I pay my respects to their Elders past and present and I extend that respect to all First Nations peoples with us today.

This year’s theme for Privacy Awareness Week is about getting 'back to basics': Privacy 101. It’s a campaign that we have delivered with imagery that may take you back to an earlier time, when I for one had big hair, Pac-Man ruled, and we relied on creaky modems to connect to that amazing new creation – the Internet.

Times have certainly changed.

I remember my daughter, now an adult, playing Pac-Man on her massive computer, the arcade hall sounds emanating. A distant memory compared to the immersive gaming that my teenage son seeks, a product of the attention economy.

While we derive enormous benefit from the digital economy, from technology and products and services, the use of personal information can also create privacy harms, fuel misinformation, cause consumer and competition as well as safety and security harms.

And as harms now traverse regulatory boundaries, the OAIC has focused on regulatory cooperation, and secured additional information sharing powers, to create more efficient regulation.

Regulatory cooperation and coordination is evident in our current investigations into the largest data breaches experienced by Australians since the Notifiable Data Breaches scheme commenced in 2018.

These breaches have created a heightened community awareness and concern for the handling of personal information.

And every day we see the emergence of new technologies that ask questions of our current privacy protections.

As the Australian Information Commissioner and Privacy Commissioner, I’ve brought the domestic and international regulatory experience of the OAIC to the privacy reform table. In the last financial year alone, the OAIC made 17 submissions and provided advice on over 50 Bills to minimise any adverse impacts on the Privacy of Australians.

And we’ve continued to advocate for broader reforms to enhance Australia’s regulatory frameworks to better protect Australian’s right to privacy for the next decade. Our right to human dignity and autonomy. Because going back to basics, privacy is a human right.

Privacy law in Australia also recognises the need for the flow of personal information for innovation, the provision of goods and services, and across borders.

We consider that it’s time for the law to make express, that this occur in a way that is fundamentally fair and reasonable. Because fair data handling supports trust in the digital economy, and ought to be “a given”.

As we near the conclusion of a major review by the Attorney General’s Department into the Privacy Act, I look forward to the next steps towards reform.

While any reform will be a matter for government and the Parliament, my message today is there is no better time than now to review your organisation’s privacy practices to make sure they have the basics covered.

Importantly, as well as complying with current legal requirements, you will be well placed to build on strong privacy foundations and make adjustments as a result of any reforms.

Because as our theme for Privacy Awareness Week suggests, while the technology landscape may be changing rapidly, certain basic principles continue to apply.

For organisations and agencies, taking a privacy by design approach, assessing and monitoring risks and training your staff to prevent data breaches are some of the essentials.

At its most basic:

• Don’t collect personal information that you don’t need
• Securely store personal information
• Delete or deidentify personal information when it is no longer needed.

Many businesses are required to collect certain personal information and to retain it under other laws, for example for anti-money laundering and taxation purposes.

We support the Department’s proposal that there should be a review of all the legal provisions that require retention of personal information.

The goal of the proposal is to determine if the provisions get the balance right, in meeting their intended policy objectives, against the potential for privacy and cyber security risks resulting from entities holding significant volumes of personal information.

And so today I’m going to draw out this “Back to Basics” theme considering four intersecting areas: the community’s expectations, lessons learned from data breaches, the OAIC’s current regulatory priorities and Australian privacy reform.

ACAPS Findings

First to the community. In the coming months, my office will be releasing our Australian Community Attitudes to Privacy Survey 2023.

Known for short as ACAPS, it’s a longstanding study that evaluates the awareness, understanding, behaviour and concerns about privacy among Australians, and is carried out every 3 years.

While the research is being finalised, I can preview some of the initial findings.

The three basic principles I mentioned before – don’t collect what you don’t need, protect that information, and delete it when it is not needed – are rated as the top 3 most important actions that organisations should take to avoid privacy breaches.

It has also been interesting to see the importance that privacy plays in influencing decisions to buy products or services.

Most Australians place a high level of importance on their privacy when choosing a product or service, with 70% saying it’s extremely or very important and another 26% stating it’s quite important.

While quality and price are the key considerations for Australians when choosing a product or service, more than half (52%) ranked data privacy in their top 3 considerations.

Privacy is seen as more important than ‘makes my life easier’ and ‘time it takes to access the service’, indicating the majority of people are prepared to experience some inconvenience in exchange for their privacy being protected.

We can conclude from this that there is a commercial and competitive benefit in organisations taking the protection of personal information seriously.

We will have a lot more to say about our report in coming months but it is clear that concern in the community remains high when it comes to protecting personal information.

The lessons of data breaches

If I was to look for real world examples that could bring home the benefits of the back-to-basics approach, we need look no further than the concerns that have been raised by the community in response to the recent high profile data breaches.

Has your organisation implemented the OAIC’s guidance, heeded our warnings to minimise collection and taken account of our 6 monthly reports on the causes of data breaches?

My call to action, is to go back to the basics. First if you haven’t already done so:

Do an audit of what information you’re collecting and your data holdings. Has it been collected and retained in accordance with legal requirements?

It is never too soon to carry this out. Do it now and be prepared.

Secondly, all businesses must take reasonable steps to protect the information they hold, particularly from known risks, such as cyber threats.

Statistics from the OAICs Notifiable Data Breach report for July to December 2022 show a 41% increase in data breaches resulting from malicious or criminal attack.

Malicious or criminal attacks (including cyber incidents) accounted for 350 notifications – 70% of all notifications.

45% of the data breaches notified were caused by cyber security incidents. The top causes were ransomware, compromised or stolen credentials and phishing.

Organisations should be taking appropriate and proactive steps to protect against and respond to a range of cyber threats. They also need to train their people to reduce the risk of being tricked by malicious actors.

And thirdly, holding on to data unnecessarily, can increase the risk of a privacy breach, and the severity of its impact. Organisations need to know what personal information they hold, where it’s stored and have a plan to deidentify or delete it when it’s no longer necessary.

Doing these three things will significantly reduce the risk and potential impacts of a data breach.

But there’s still risk, so all organisations need to be prepared and have a data breach response plan. And they shouldn’t be dusting off the plan the first time a breach occurs – it must be tried and tested.

Regulatory priorities

The OAIC has three current areas for privacy regulatory focus.

Security of personal information

It will be no surprise that the first is ensuring the security of personal information.

We have commenced major investigations into Medibank, Optus and Clinical Laboratories (which involves the practices of Medlab pathology), over their data breaches. We are also making preliminary inquiries regarding the Latitude Financial cyber security incident.

These investigations focus on whether reasonable steps were taken to protect personal information held from misuse, interference, loss, and unauthorised access, modification and disclosure.

We are also investigating whether reasonable steps were taken to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.

I mentioned our focus on regulatory cooperation, and this is also reflected in our role in the Council of Financial Regulators’ Cyber Security Working Group.  The network was formed to assist members to keep each other informed, reduce duplication and address regulatory gaps.

Online platforms, social media and high privacy impact technologies.

The second priority is addressing the harms that arise from the practices of online platforms and services that impact individuals’ choice and control, through opaque information practices or terms and conditions of service.

Our focus within this area includes technologies and business practices that record, monitor, track and enable surveillance.

We are also focused on the use of algorithms to profile individuals in ways they may not understand or expect.

These areas align closely with the priorities of the Digital Platform Regulators Forum, comprised of the ACCC, ACMA, esafety and the OAIC as we share information and work with other members to tackle these issues.

We are also collaborating with international regulators on these issues. The OAIC leads the Global Privacy Assembly’s International Enforcement Working Group initiative on data scraping.

Through our work on the Global Privacy Assembly’s Facial Recognition Subgroup, we played an instrumental role in developing a resolution passed by the GPA for the appropriate use of personal information in facial recognition technology.

This contributes to promoting consistent high standards of data protection globally on areas of mutual concern.

Facial recognition tools carry heightened privacy risks as they can be used to uniquely identify individuals. Facial features are difficult or impossible to change and they can be used to estimate or infer other sensitive or personal information such as age, sex, gender and ethnicity.

Automated facial recognition systems can collect large amounts of biometric information indiscriminately and without any direct involvement or even knowledge of individuals.

This limits the effectiveness of traditional privacy self-management mechanisms such as notice and consent to provide individuals with control over their personal information, which was an active issue in my determinations involving Clearview AI, Inc (which Clearview has appealed to the AAT), and 7-Eleven for their uses of facial recognition technology.

We are also investigating the use of facial recognition technology by Bunnings and Kmart, following the report from CHOICE about the retailers’ use of the technology.

Consumer Data Right

The third priority is co-regulating the Consumer Data Right with the ACCC.

The OAIC continues to advise on the Consumer Data Right regulatory framework to maintain strong privacy protections, a major macro-economic reform that has consumer choice and control at its centre.

Consumer confidence in CDR is underpinned by coordinated compliance and enforcement activities by the OAIC and the ACCC.

Our focus is ensuring participants uphold the system’s fundamental privacy safeguards and that consumer information is protected.

We are proactively auditing participants to ensure they are meeting their privacy obligations. We also provide guidance to entities about their CDR privacy obligations and to the public about their rights. And we have primary responsibility for consumer complaints about privacy and data handling in the CDR system.

Privacy Reform

What the new legislation brought in last year

Turning to recent privacy reforms. The Privacy Legislation Amendment Act came into force in December 2022. It has enhanced the OAIC’s ability to regulate in line with community expectations and to protect Australians privacy in the digital environment.

The Privacy Act provides a range of regulatory powers, which are based on an escalation model.

Where enforcement action is necessary, increased penalties can now be sought through the court.

The increased penalties of up to 50 million mirror recent increases to the maximum penalties under the Competition and Consumer Act and ensure penalties under the Privacy Act are comparable with those of other domestic and international regulators.

This will help incentivise compliance and ensure privacy breaches are not seen as a cost of doing business in Australia.

Civil penalty proceedings are at the highest end of the range of regulatory powers and will be used for conduct that is contrary to the public interest. The amount of the pecuniary penalty is ultimately a matter for the courts to decide and they have well-established principles for determining this.

The Act introduced other measures relating to the Notifiable Data Breaches scheme, which included:

• strengthening the scheme through new information gathering powers with associated infringement notice provisions for failing to give information
• new powers for the OAIC to assess processes and procedures relating to an entities compliance with the NDB scheme’s requirements
• and requiring greater particularity in notifications as to the kinds of information involved in a breach.

It also introduced new information sharing powers, providing clear circumstances where the OAIC can share information with enforcement bodies, alternative complaint bodies and domestic and international privacy regulators. This will help to avoid duplicated investigations and regulatory responses and facilitate engagement with domestic regulators and our international counterparts.

It also simplified extraterritoriality provisions in the Privacy Act, to ensure companies domiciled overseas that carry on a business in Australia, must comply with Australia’s privacy law.

The issue of extraterritoriality, or jurisdiction, under the previous law has been the subject of legal challenge.

Following a decision by the Full Court of the High Court of Australia in March, we are now able to progress with our substantive proceedings seeking civil penalties against Facebook Ireland and Facebook Inc over the Cambridge Analytica matter.

The initial action was commenced by the OAIC in the Federal Court in March 2020, and will now go back to the Federal Court to hear the substantive issues.

Future privacy reform

The OAIC’s recommendations to the Attorney-General’s Department can be grouped into three key themes.

The first is increased accountability for regulated entities through a positive obligation for the collection, use and disclosure of personal information to be fair and reasonable in the circumstances.

What’s missing in the current legislation is a clear requirement on the face of the law to consider the privacy impacts on individuals upfront. There needs to be a shift in focus to place individuals at the centre of the privacy framework to avoid harms.

The fair and reasonable test would provide a baseline level of protection. It will allow individuals to engage with products and services with confidence that, like a food or building safety standard, privacy protection is a given.

We can purchase food from a restaurant or grocery store and trust that the food is safe. We don’t have to become experts in food safety standards – there are baseline standards in place to ensure it isn’t contaminated or harmful to us.

We need something similar for personal information handling so when we engage with a service, we can trust that the entity will handle our personal information in ways that are fair and reasonable.

The fair and reasonable test does not seek to prevent businesses from achieving their commercial objectives through innovative uses of data. Rather, it will require businesses to proactively consider whether their personal information handling activities are fair and reasonable.

This includes proactively considering the risk of unjustified adverse impact or harm to individuals. Are there less privacy intrusive ways to achieve the benefits? Its about balance.

Privacy Impact Assessments would be required to be conducted for personal information handling that is likely to have a significant impact on the privacy of individuals.

We also consider there is a need for increased accountability on entities in the wake of a data breach. In our regulatory experience, best practice entities take responsibility for the costs and impacts of data breaches when they occur, and support individuals to take steps to mitigate the harms and impacts that may arise.

We consider that there should be an obligation on entities to take reasonable steps to reduce the harm that is likely to arise for individuals as a result of a data breach. The steps that may be reasonable to take, depending on the circumstances, could include paying for a subscription to a credit monitoring service, assisting individuals to replace compromised credentials such as passports and drivers licences, and engaging providers such as IDCARE to provide post-incident support to individuals.

The Privacy Act Review final report proposes this be further considered.

The second theme is supporting privacy self-management through new and enhanced individual rights.

The review has provided an opportunity to consider how individuals can be provided with greater control over their personal information through individual rights, including a right to erasure and an enhanced right to access.

These additional rights are particularly timely given the significant concern over entities holding information for extended periods, and they have the potential to better equip individuals with the means to exercise choice over who holds their information.

The OAIC has been broadly supportive of reforms that would be interoperable with international privacy laws, to minimise the burden on Australian businesses that operate in other jurisdictions, such as the European Union. The proposed new and enhanced rights draw on elements and serve a similar function to rights under the GDPR.

And we must continue to take account of legislative developments globally. This includes obligations to design online services to better protect children’s personal information that we see in the UK and California and controls in relation to the use of personal information in advertising in the EU and California.

In our engagement with law reform we are focused on ensuring our laws continue to connect around the world, so Australian’s data is protected wherever it flows and the burden on businesses operating globally is reduced.

Thirdly, Australia needs a contemporary regulatory framework.

An expanded privacy regulatory toolbox will:

• better enable the OAIC to bring enforcement action where appropriate
• deter non-compliance
• and help to build community confidence that their information is being protected.

The Privacy Act review report proposes the introduction of a new civil penalty regime. This includes a new mid-tier civil penalty provision for interferences with privacy that do not meet the serious threshold and a low-level tier of civil penalty provisions for administrative breaches of the Act with attached infringement notice powers. This would be a quick and cost-effective way to respond to non-compliant behaviour without the need for court proceedings.

In seeking to use penalties, any decisions to do so will be proportionate and transparent, in line with our published regulatory action policy and guide.

We also see the need to introduce a direct right of action and statutory tort of privacy.

In summary, based on our regulatory experience we consider the onus needs to shift to ensure organisations build privacy protections into products and services by default and design and that their data handling activities are fair and reasonable. This means putting the individual at the centre of innovation, to prevent the risk of harm.

As busy people, we can’t be expected to read all the fine print. Just as we rely on the safety of our food, we should expect that the privacy basics are taken care of. While there will always be a role for us to read the nutrition labels and make healthy (or not so healthy) choices, it’s time for the law to provide greater privacy safeguards.

Conclusion

In conclusion, I would like to reiterate the basic principle that underpins our current debates.

Our Privacy Act seeks to give effect to the fundamental right to privacy by preventing individuals from being subject to arbitrary interferences with their personal information and protecting them from harm stemming from the misuse of their personal information.

Put simply, data protection and privacy seek to protect our right to autonomy and human dignity. There is a collective societal interest in privacy, which we must not lose sight of.

Thank you for joining today to mark the start of Privacy Awareness 2023 and for the work you do as privacy professionals.