Read the transcript of Privacy Commissioner Carly Kind’s radio interview with Patricia Karvelas on ABC RN Breakfast on Wednesday 8 May 2024. Errors and omissions excepted.

Patricia Karvelas: The Federal Government is set to overhaul privacy laws this year as a series of high profile data breaches expose just how easily personal details can be stolen and shared. The long anticipated reforms come as Australia gets a standalone privacy tsar for the first time in almost a decade. The job has gone to Carly Kind, who’s just setting settling in as the new Privacy Commissioner, and Carly Kind joins us this morning. Welcome to the program.

Privacy Commissioner Carly Kind: Thanks, Patricia. Good morning.

Karvelas: Advocates have long called for an overhaul of Australia’s privacy laws. How urgent is that task?

Kind: It’s absolutely urgent. It’s overdue and the work has been ongoing now to understand how to reform the Act for many years. I think we’re on about year seven of the work to understand what those reforms should look like. So the stage is set. I think everybody is ready, including regulated entities, for that change and we’re just waiting for government to bring forward those reforms.

Karvelas: What is the key change the government needs to make?

Kind: Good question. It spans the breadth of the Privacy Act, but I can certainly highlight a few specific changes that will really change the coverage of privacy protection for the Australian community.

The first is that the current privacy regime doesn’t capture small businesses or essentially most businesses in Australia. Ninety-five per cent of Australian businesses aren’t complying with any privacy legislation so that will be the first big change.

The second is that it introduces a new standard of processing, called the fair and reasonable test, in which entities who are acquiring data from Australians and using that data will have to be able to establish that it’s fair and reasonable to collect and use that data in the way they’re doing so. And that’s really important, Patricia, because it circumvents the reliance on consent that we’ve seen in many different parts of the digital economy whereby individuals just kind of click consent or agree to terms and conditions they don’t really understand and which actually lead to harmful privacy practices.

The third set of changes relate to children. So there’s a lot more protections in the new regime around children, including defining a child as anyone under the age of 18 and prohibiting targeting direct marketing to children.

And then another set of changes that might interest your listeners relate to individual rights around privacy. So there’ll be a new statutory tort of privacy introduced in the reforms. There’s rights to erasure and rights to de-indexing on search engines and a range of other individual rights as well.

Karvelas: Individual rights will, of course, interest our listeners who no doubt feel like with the revolution in the internet, a lot of our privacy has really shifted. What will that tort lead to? Like how will it change an individual’s right to privacy?

Kind: So, I mean, the premise of your question is absolutely right that individuals across the Australian community feel very much that their privacy has been eroded over a number of years and want to see stronger privacy protections. Our own research with the Australian community shows that number is around 89% of individuals want to see the government regulate more in this space.

In terms of the individual rights, I think there one component of a new regime that we hope will ensure compliance and actually change the system of data use and collection such that individuals won’t have to be complaining about bad practices as much, because actually we’re ensuring compliance in other ways, including, for example, my office will issue guidance for businesses to ensure that they know what good looks like when it comes to data processing. And my office will also be pursuing enforcement initiatives and our enforcement powers will be beefed up.

But it’s true that individuals will also have the ability to bring their own complaints and cases. They already do so under the Privacy Act. They bring complaints to my office. But under the new regime they’ll be able to take actions directly to court.

In terms of what that will look like and how that might change matters. I think it will hopefully give individuals a much better sense of control and agency around their data and that’s something we hear a lot from people that they just feel like things are out of control. So having that route, to go to court directly, I think will give will empower the community. But we hope people won’t have to use that because we hope that compliance will be ensured through other mechanisms.

Karvelas: Your office does have powers to push for fairly large fines when companies breach privacy laws, but I believe that’s only happened twice in nine years. Do you expect to use those powers more often?

Kind: Absolutely. So in the recent years our powers have been increased dramatically. So, in 2022, the government brought legislation to increase significantly the amount of penalties that we could seek in the Federal Court. Prior to 2022, that number was quite low. But of course, the large data breaches in the last few years have really spurred momentum around legislative reform.

In terms of taking a more enforcement-based approach, as you referenced in your introduction, we’ve only just had a standalone Privacy Commissioner appointed. And so the Office of the Australian Information Commissioner has resumed the three commissioner model that it was originally set up to operate with, and that means we’re much better placed to really take a more front-footed approach to enforcement.

The Privacy Act reforms will further embolden that approach, because they enable us to access a range of different tiers of penalties. Currently, we have to establish quite a high threshold in order to bring action for civil penalties in the Federal Court. And the Privacy Act reforms will introduce a low and a medium tier so that will really permit us to go after a range of different privacy harms and violations across the spectrum.

Karvelas: I know that you’re also interested in the big tech platforms and how they handle our private information. You’re already looking into TikTok. How responsible are companies like Meta and Google and the way they collect and use data and how? I mean, we’ve seen the eSafety Commissioner do its different work, but to try and tackle these companies. Do you have the powers you need to deal with these?

Kind: Good question. I absolutely think that the concentration of power in large technology companies is one of the enabling features of a very exploitative data economy that we see today. Having a very few companies that operate on data driven business models really control the online realms sets quite a low bar around data privacy, and I think has led to some of the more problematic privacy practices.

So, using privacy law amongst other legal regimes to start to rebalance power in the digital ecosystem is really key. And we’ve seen in other jurisdictions where there are stronger privacy laws that privacy regulators have been able to start to chip away at that power imbalance in the data digital economy.

Karvelas: Like where?

Kind: In Europe, for example, the GDPR has really empowered privacy regulators to go after different business models. And so in Europe, for example, you see Meta coming forward with a paid subscription model because they’re being really critiqued by privacy regulators for their kind of poor consent-based practices, for example.

I don’t want to get too kind of wonky for your audience, but just to say that I think privacy law is one lever that we can pull to start to really create more competition in that digital platform economy.

Do we currently have the powers to do so? We’re trying our best to use the powers we have. But I think the new regime of Privacy Act reforms will certainly strengthen our hand.

Karvelas: Google announced yesterday it was introducing a new tool in Australia that lets people see what personal details show up in a search of their name and remove things like phone numbers or email contacts from those searches. Is that positive?

Kind: I think it is positive, Patricia. I mean, this is Privacy Awareness Week, and our campaign for this week is to power up your privacy and to get organisations to take additional measures to protect individuals privacy. And Google has done a you know, this is a great example of how organisations can be on the front foot in terms of extending better privacy protections to individuals and using technology to do so.

You know, it’s really important to remember that technology is not just part of the problem, it’s also part of the solution. I think that Google is getting ahead of the Privacy Act reforms, because this new initiative will absolutely be required should those reforms come into play. The rights to erasure and the rights to de-index will require platforms to advance these kinds of abilities to users. But they should absolutely be congratulated for taking that step and getting ready for those changes that are about to come.

Karvelas: Thank you so much for joining us.

Kind: Thank you for having me.

Karvelas: Carly Kind is Australia's Privacy Commissioner, and you’re listening to Breakfast.